On May last year the GDPR, the General Data Protection Regulation, entered into force. The General Data Protection Regulation is in its “simplicity” a law made by the European Union, which regulates the use and processing of people’s personal data. The regulation is basing itself to the Charter of Fundamental Rights of the European Union, which are easy to be thought of as comparable to European human rights. The regulation is thus applicable in Finland in all of its text, and even though Finland has its own Data Protection Act it is only complementing the application of the GDPR. You as a natural person have rights to how your personal data is handled, who does it, how it is done, and how to affect it. Strictly this view the GDPR seems pretty nice, but as someone’s freedom if an another’s responsibility GDPR does create new and heavy responsibilities for the entrepreneur.
The GDPR is founded on the idea that once someone collects personal information of a person (data) then a legal responsibility is created for that someone to process and store that information in a certain way. What is then meant with collecting data and what is it’s storing? First, one needs to have a legally accepted basis for collecting data. In practice this usually means asking permission from the person whose data is collected. Second, if the collected data forms the possibility of a person being identified from that data, then this is to be understood as a data registry in the meaning of the Regulation. This registry forms a legal responsibility to its holder to manage and use it properly. The regulation does not make a difference to whether the data is stored on a server or a notebook. The EU-court has for example ruled that when the Finnish Jehovah’s Witness collected a list about doors knocked and houses visited, this list was unlawful as the people marked in the last had not been asked for their consent to be included in that list.
The previously explained legal responsibility is not brought upon private persons if their information collection is only relating to their own personal life and acts. An entrepreneur or a company cannot use the same exemption. For example, if your company has an application that it manages, all information collected and sent to you by that application is responsible for the correct processing and storage of data by your company. This is also the case when your store has a list of good loyal customers or customers in general. Or, for example, if your business has a website that collects a list of their visitors (which is very common for websites). It is difficult for today’s entrepreneur to avoid liability under the new privacy regulation. It is safe to say that a modern entrepreneur can hardly escape the grasp of the General Data Protection Regulation and responsibilities it creates.
Ok, so your company has personal data of natural persons (data subject), what does this then actually mean for you? As previously mentioned the first question is whether there is a basis, a proper reason, for the collection of the data. There are multiple different legal basis found in the Regulation, of which the most simple is consent. Usually it is enough that you ask for the explicit permission for the collection of the personal data. This is however a gross simplification which may change depending on the situation. Even before the collection of the data can started, the person whose data is collected must be informed on how and for what purpose the data is collected. That person also needs to be informed on how and for how long the data is stored and who has access to it. A company can fulfill these requirements with a Privacy Policy which has to be made available freely and easily. It is smart to draft the Privacy Policy with care, as gaps or digression from it can easily be pointed at by authorities. Because the GDPR regulates data on its whole “lifespan”, also storing that data falls under specific regulation. For example, storing data outside of Europe is advised against strongly, as its security cannot then be guaranteed. Responsibility for the security of the data also falls to the one controlling the data. If something surprising happens to the data or a wrong person accesses it, the controller of the data is primarily held responsible. A big part of the data controller’s responsibility comes from the rights of the data subjects. The person whose data has been collected has the right to change, remove, transfer, correct or restrict the data that has been collected from them, and which the data controller has to react in some way. As a cherry on top, the data subject (person) needs to be actively and accurately informed of the aforementioned and any changes to it.
Legal responsibility can thus be quite large. It is then natural to ask that who takes care of these responsibilities and does there need to a special hire for these tasks? The GDPR requires for companies and communities to appoint a Data Protection Officer (DPO) to ensure compliance with the Regulation. The Data Protection Officer does not need to be a person who is specifically hired for the task, meaning they can be appointed from the current employees. However, the required expertise of the position drives many companies to seek the services of an external data protection officer. This is a good solution especially for small- to medium sized companies whose budget might not accommodate hiring a “own” data protection officer.
Acknowledging all the preceding legal responsibilities it is logical to thing of the consequences of a potential breach. In Finland the authority monitoring GDPR compliance is the Office of the Data Protection Ombudsman. This national authority gives guidance on compliance, notifications on small breaches and as a last resort administrative fines. Because the justification behind the potential fines is found in fundamental rights, the amount of the fines can be quite high. According to the regulation the maximum amount for an administrative fine is either twenty million euros (20 000 000) or four percents of of the total worldwide annual turnover of the preceding financial year, whichever is higher. The Data Protection Ombudsman of Finland has not yet issued any fines, only notifications, for the reason that the regulation is quite new and its application unexplored.
Issues relating to data protection and privacy are a good example of corporate risk management. Usually, the realisation of risks and consequences can be averted by a small effort of an expert. Data protection and privacy require constant management, when it might become topical to hire a data protection officer. As Autio Attorneys is specialised in the risk management of companies and enterprises, whether it is the drafting of a privacy policy or an appeal of a fine, Autio Attorneys can help.
Jalmari Männistö
Associate Trainee