As the attention seems to be shifting more and more towards the proposed new European data protection regulation, it is evident that businesses in Finland are struggling with the current regulatory requirements. In its notice on 25 July 2012 the Data Ombudsman indicated that around 70 private and public online service providers, who had suffered a data breach in 2011, were to be requested to clarify the actions taken to address the inadequacies as to their responsibilities as data controllers. The Finnish Data Ombudsman released the results of the inspection on 10 October 2012.
The results confirm the notion that organizations in Finland are still poorly aware of the responsibilities cast upon them by the Finnish Personal Data Act, a statute already in force since 1998. Only 46 percent of the respondents were clear of the requirements set for data controllers to carry out technical and organizational measures necessary for securing personal data against unauthorized access and other unlawful processing. Keeping in mind that the proposed data protection regulation accentuates the data security responsibilities for data controllers and also processors (e.g. data breach notification in 24 hours), it is worrisome that the level of understanding about as fundamental responsibility as data security is lacking in such a major way.
The Finnish Data Ombudsman found that the organizations had difficulties identifying their role in outsourcing situations. When not being able to identify ones role in the data processing scheme, it is impossible to identify the respective responsibilities.
Understanding the difference between data controlling and data processing is the starting point for data protection compliance. The proposed data protection regulation sets legislative responsibilities also for data processors, thus it is growingly important for data processors to know their position in relation to the personal data being processed.
It is also clearly shown from the results that data protection is not just compliance but also an integral part of comprehensive business planning, as it was mentioned that many of the businesses who had suffered a data breach were forced to close down their online services.
It comes as no surprise that the Finnish Data Ombudsman announced simultaneously with the results that the inspections are going to be repeated soon. Understandably the Finnish Data Ombudsman sees the results as non-satisfactory. For example, for 30 percent of the organizations, the experience of a data breach had not resulted in any practical actions. With the proposed data protection regulation in mind, it is possible that compliance issues in Finland are to be dealt more stringently by the Finnish Data Ombudsman in order to prepare Finnish organizations to the foreseeable future of full harmonized data protection regulation in EU along with its strict sanctions. The Finnish Data Ombudsman has also explicitly stated that it shall co-operate with the CERT-FI (the Finnish national computer security incident response team ) when advising the Finnish businesses in relation to the data security responsibilities.
Attorneys at law Borenius Ltd announced its new Data Protection Compliance product on 9 October 2012.
The product is designed to help organizations to comply with current data protection legislation in an easy and feasible manner and in a cost effective way. The steps necessary to comply with the upcoming regulation are modest if your organization is already in line with the current rules.
We see that in the future data protection should not be seen as a threat but as an opportunity to differentiate your organization from others. Complying now will give you a head start.