More than compliant
Advancing digital technology, robots, drones, the internet of everything – all that new-new – raises questions about protecting one’s personal data. For companies regardless of size and field it means a heavy set of data protection regulations. We dug into the topic with Nokia’s Director for Privacy Mikko Niva.
Text Heini Santos
Photos Ari Heinonen, Pekka Nieminen, Pauliina Salonen/Otavamedia
BORENIUS FINLAND – Previously, data protection was not an issue for many Finnish companies outside of IT and mobile technology, but things are about to change. The European Parliament has agreed on the structure and fundamentals of the General Data Protection Regulation (GDPR). Tentatively, the regulation will take effect in 2015.
The good news? Companies can operate under one shared law in Europe, and the citizens’ rights on their personal data will be stronger. At the same time, the administrative burden will blow up, as will the market for data protection experts. Sanctions can reach up to 5 percent of the annual worldwide turnover of the company, which assures that data protection will jump the queue on executive agendas.
No finish line
Data protection elements are strongly rooted in Nokia’s company culture as Nokia is engaged in technologies, products, and services with obvious privacy impacts.
“For us it is about far more than just being compliant with the law. Today, privacy is one of the key policy discussions globally and an area of innovation where technology leadership can be demonstrated. Most importantly, the society and customers simply expect organizations to handle personal data responsibly,” Niva says.
To address privacy questions in a growingly complex business environment, Nokia has a comprehensive privacy program based on a well-recognized accountability principle. That means group-wide executive accountability and oversight responsibilities, policies and processes to implement them, privacy owners and officers in all business units who implement the program within the business area, training and awareness activities, privacy engineering and compliance assurance processes to ensure all activities comply with requirements and to ensure Privacy by Design, as well as monitoring and auditing compliance and internal enforcement.
“We keep track of our activities, and for example last year we conducted over a hundred privacy assessments a month. The standard for privacy is high so the company can rely on the practically same internal set of rules in every country it operates in. This is both an ethical choice and a matter of operational efficiency,” says Niva.
“This is not a project with a finish line. We continue to move forward as an organization.”
Having offices in Helsinki, St. Petersburg, New York, and the Baltic countries, Attorneys at law Borenius has the upper hand in global data protection projects.
Borenius’ Specialist Partner Hannu Järvinen and Partner Jarno Vanto are exceptional in the Finnish law firm scene for having the European Privacy expert accreditations that allows them to evaluate IT products and services in compliance with the European data protection law.
“The nature of data protection is currently such that you always have to find out how things work in each country of operation. Typically, data protection questions come up when launching a campaign that involves collecting data, or when transferring personal data to another country, for instance while outsourcing the HR system,” says Järvinen.
Järvinen underlines the importance of maintenance when planning an initial compliance project.
“The process must be one that can be easily repeated – many larger companies do auditing annually. The project is interactive and can easily take months, depending on how comprehensive the scope of the audit is.”
Vanto, who is based in New York, sheds light on the global scope of data protection.
“Data protection is not just a European phenomenon anymore but it covers the entire globe, and legislators are trying to match up with the quickly changing world of digital technology. The GDPR will make it somewhat challenging for companies to operate flexibly on the international market,” he says.
A critical task for any company is to put in place an ongoing program for data protection compliance, not just a patchwork of initiatives. The program should consider all the countries in which the company operates as well as the types of personal data and the purposes for processing it.
Data protection checklist
- Scan your data environment. Do a data inventory and set your goals. The accountability model can be scaled to companies of all sizes.
- Appoint privacy officers. There has to be someone who is accountable.
- Draw a plan. The Finnish law requires companies to have a plan for handling personal data. Remember to review your contracts with subcontractors.
- Start fixing your risky practices one by one.
Read more about data protection in the feature article Responsibility cannot be transferred