On May last year the GDPR, the General Data Protection Regulation, entered into force. The General Data Protection Regulation is in its “simplicity” a law made by the European Union, which regulates the use and processing of people’s personal data. The regulation is basing itself to the Charter of Fundamental Rights of the European Union, which are easy to be thought of as comparable to European human rights. The regulation is thus applicable in Finland in all of its text, and even though Finland has its own Data Protection Act it is only complementing the application of the GDPR. You as a natural person have rights to how your personal data is handled, who does it, how it is done, and how to affect it. Strictly this view the GDPR seems pretty nice, but as someone’s freedom if an another’s responsibility GDPR does create new and heavy responsibilities for the entrepreneur.
The GDPR is founded on the idea that once someone collects personal information of a person (data) then a legal responsibility is created for that someone to process and store that information in a certain way. What is then meant with collecting data and what is it’s storing? First, one needs to have a legally accepted basis for collecting data. In practice this usually means asking permission from the person whose data is collected. Second, if the collected data forms the possibility of a person being identified from that data, then this is to be understood as a data registry in the meaning of the Regulation. This registry forms a legal responsibility to its holder to manage and use it properly. The regulation does not make a difference to whether the data is stored on a server or a notebook. The EU-court has for example ruled that when the Finnish Jehovah’s Witness collected a list about doors knocked and houses visited, this list was unlawful as the people marked in the last had not been asked for their consent to be included in that list.
The previously explained legal responsibility is not brought upon private persons if their information collection is only relating to their own personal life and acts. An entrepreneur or a company cannot use the same exemption. For example, if your company has an application that it manages, all information collected and sent to you by that application is responsible for the correct processing and storage of data by your company. This is also the case when your store has a list of good loyal customers or customers in general. Or, for example, if your business has a website that collects a list of their visitors (which is very common for websites). It is difficult for today’s entrepreneur to avoid liability under the new privacy regulation. It is safe to say that a modern entrepreneur can hardly escape the grasp of the General Data Protection Regulation and responsibilities it creates.
Legal responsibility can thus be quite large. It is then natural to ask that who takes care of these responsibilities and does there need to a special hire for these tasks? The GDPR requires for companies and communities to appoint a Data Protection Officer (DPO) to ensure compliance with the Regulation. The Data Protection Officer does not need to be a person who is specifically hired for the task, meaning they can be appointed from the current employees. However, the required expertise of the position drives many companies to seek the services of an external data protection officer. This is a good solution especially for small- to medium sized companies whose budget might not accommodate hiring a “own” data protection officer.
Acknowledging all the preceding legal responsibilities it is logical to thing of the consequences of a potential breach. In Finland the authority monitoring GDPR compliance is the Office of the Data Protection Ombudsman. This national authority gives guidance on compliance, notifications on small breaches and as a last resort administrative fines. Because the justification behind the potential fines is found in fundamental rights, the amount of the fines can be quite high. According to the regulation the maximum amount for an administrative fine is either twenty million euros (20 000 000) or four percents of of the total worldwide annual turnover of the preceding financial year, whichever is higher. The Data Protection Ombudsman of Finland has not yet issued any fines, only notifications, for the reason that the regulation is quite new and its application unexplored.