Requirements under the EU General Data Protection Regulation

Since 25 May 2018, the processing of personal data by Finnish organizations has been required to comply with the EU General Data Protection Regulation. The General Data Protection Regulation has harmonized the regulation related to the processing of personal data within the EU and improved the status of individuals’ data protection compared to the previous situation. A significant threat of sanctions directs organizations to process personal data in the manner defined by the Regulation.

In practice, the General Data Protection Regulation entails the following for all Finnish organizations:

1. It must be determined what personal data the organization collects, processes, and stores. Typically, personal data are accumulated regarding the organization’s employees, current customers, and potential customers (marketing registers).

2. It must be ensured that the processing of personal data complies with the requirements, such as: not collecting and storing unnecessary information, ensuring the information is accurate, deleting the data when the basis for storage ceases, and ensuring that the processing and storage of data are limited and secure.

3. Upon request by a data subject, all personal data registered about the person must be provided to them, inaccurate data must be corrected, and any request for deletion must be complied with.

4. A thorough assessment must be made of the risks associated with the processing of personal data. In the General Data Protection Regulation, risks refer to any physical, material, or immaterial harm that may be caused to a data subject by the processing of their personal data.

5. Compliance with the Regulation typically requires staff training and guidance, confidentiality agreements, premises monitoring, operational monitoring, information system security, and data encryption.

6. It must be possible, when necessary, to demonstrate to the data protection authority that the organization’s processing of personal data complies with the requirements. Therefore, it is advisable to document the processes related to the processing of personal data.

7. There is an obligation to report personal data breaches to the data protection authority and to the individuals themselves. A personal data breach refers to a violation resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.

8. All personal data breaches and matters related to the violation, the effects of the violation, and the corrective measures taken must be documented. Based on this documentation, the supervisory authority must be able to verify that the data controller has fulfilled their notification obligation.

Failure to comply with the General Data Protection Regulation may result in a reprimand for private organisations, the imposition of corrective measures concerning the processing of personal data, or a fine. The sanction may amount to a maximum of 20 million euros or 4% of the total annual turnover.