Responsibility cannot be transferred
The Finnish Data Protection Ombudsman Reijo Aarnio is not convinced by the Finnish companies’ level of preparation in terms of data protection – nor information security.
Text Heini Santos
Photo Markus Sommers/Tietosuojavaltuutetun toimisto
BORENIUS FINLAND – “We cannot think of data protection as the inevitable evil anymore. It is part of management, and the top executive level of the company needs to commit to it. My experience is that data protection is still considered something that touches the organization in a vertical rather than horizontal manner, even though it penetrates everything”, Data Protection Ombudsman Reijo Aarnio says.
Aarnio brings up the strategic side of protecting information in the realm of the current cloud service trend. Data can easily be transferred outside of the country, or even outside of the EU, but responsibility cannot.
“Today, information is seen as one of the key success factors of a company. Yet, companies with such assets give it out to a cloud service without even knowing its location. This calls for a fresh way of thinking.”
Aarnio encourages companies to stop and think about the purpose of data protection legislation. Why invest into an advertising campaign in attempt to build trust between the company and its customers if the system is not transparent enough for people to see what their information is used for and what their rights are?
“Many Finnish companies resort to package IT solutions but fail to utilize all the essential functions such as data removal or enabling people to review their information. In a sense, the system becomes illegal. Companies should require the system supplier to include these functions and proper user training by default,” Aarnio says.
Read more about data protection: More than compliant