An interview with Legal Advisor, Mika Pahlsten, focusing on the Finnish response to GDPR.

As I write this blog it has been over 15 months since the European Union’s General Data Protection Regulation (GDPR) was put into operation on 25th of May 2018. I joined Ubisecure’s Sales Engineering team about one year before the launch date and these four magic letters were among the first things I heard whenever I met our customers and leads.

It was obvious that something big was about to happen but nobody was exactly sure what it was. Some vendors were even brave enough to offer ready-made solutions for companies to become GDPR compliant, but somehow that did not seem right. How is it possible to offer an out-of-the-box solution to a problem that requires about 75% internal process development and 25% technical solution? For sure, most of the companies needed something more tailor-made or specific to handle their customer identities in a compliant manner.

In order to get a better understanding of the GDPR, I decided to attend an event conducted by lawyers specialised in GDPR in August 2017. The event was organised by a lawyer – Mika Pahlsten from Azets. I had recently an opportunity to have a short interview with Mika related to the current status of the GDPR in Finnish companies today.

Interview

Mika Pahlsten Azets

Mika Pahlsten

Sami:    Good afternoon Mika, could you tell us something about your background?
Mika:    I hold the Master of Laws with court training (Varatuomari) and I have over 18 years of work experience in law, mostly with labor legislation and HR. I am currently working at Azets as a Legal Advisor. One of my responsibilities is to handle GDPR related issues for Azets and its customers, when these issues concern HR-matters. In this role, I have also organised GDPR related events and conducted GDPR training sessions to companies.

Sami:    How did you come across the GDPR for the first time and what did you think about it at the time?
Mika:    Actually, it was by accident, since the issue was new and somebody just had to take responsibility for it. I have to admit that it was a bit exciting at first as EU regulations are considerably more complicated in comparison to national legislation.

Sami:    In my experience, there was a bit of panic in the air about the GDPR. In your view, how did companies prepare for it?
Mika:    For a lot of companies it was very unclear what they were supposed to do with the GDPR, so it was my job to clarify the picture, to give basic tools and give a proper understanding of it during my training sessions. The goal was that nobody could say that these companies had not followed their responsibilities related to the new regulation.

Sami:    How did the companies schedule their preparation projects?
Mika:    To me, it seemed that most of the companies started the preparations around February-March 2018 timeframe. By that time it had become clear to them that GDPR was going to be put into operation in a couple of months and something needed to be done.

Sami:    GDPR was put into operation on the 25th of May. What actually happened at that point?
Mika:    Many waited for the May 25th 2018 with fear in their eyes. Personally, I got deja-vu from the year 2004 and the beginning of 2005. It was the beginning of 2005 when the Act of Equality between women and men was renewed and it generated a lot of new demands for the companies.  I was working at the Employer’s Confederation at the time, and at least on that side of the labor market field people were pretty sure that companies would end up in a lot of trouble related to some practical arrangements. Then came the day when the act was put into operation but, after all, there was no immediate chaos. I assumed that something similar would happen in the case of GDPR and it did. It is very common that people find new things scary and tend to overreact.

Sami:    I have noticed that some DPOs (Data Protection Officers) have been a little bit disappointed that nothing concrete has happened so far in Finland.
Mika:    I believe they might have thought that the world changed for the better in one go. GDPR is a leap in the right direction but nothing happens overnight.

Sami:    Who monitors that the companies are GDPR compliant?
Mika:    The Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto). But it seems that the authorities have been pretty quiet during the first 1 ¼ year period.

Sami:    There was a lot of talk about the stiff penalties for violating the rules of GDPR such as loss of 4% of the company’s annual global turnover, or €20 million fines. Even the lawyers were quite unsure about it when you asked their opinion. Now that we have lived over a year in the GDPR world what can you say about the sanctions in real-life examples?
Mika:    There have not been so many public cases related to GDPR in Finland so far. It appears that the Finnish authorities have begun their work by counselling and instructing companies rather than giving huge fines right away. In a way, this is understandable since Finland has always been the “kind student of the EU class” with no need for intimidation. Thus initial guidance is usually enough to set companies on the right path.

Sami:    What about at the EU level in general?
Mika:    To mention some GDPR statistics at EU level, it has been estimated that there are 500 000 organisations that have registered DPOs, 64 000 data breach notifications and GDPR enforcement actions have resulted in over € 56 million in fines. You can find more information about the statistics here [in Finnish].

Sami:    What will we see in the future for GDPR?
Mika:    In Finland in the near future, we may see the authorities start to be less lenient as companies have had more time to implement GDPR-compliant procedures. The situation may already be different in other European countries, where the authorities are more active in giving those strict penalties for not following the regulations.

Conclusion

Against all odds, the sky did not fall down after May 25th of 2018. From a Finnish customer perspective, life continues pretty much the same way as before. You might have realised that some service providers are more careful to ask for your consent etc. but for a normal consumer that’s about it.

However, for service providers the situation is different. The monitoring authorities of GDPR have been merciful up until this point but this will change eventually. There will be less space to ignore the regulation. Even at the end of 2018, 7 months into the GDPR, more than 50% of companies said that they were not 100% compliant, and even though the authorities have been very understanding so far, this has to change.

IAM solutions such as Ubisecure’s Identity Platform provide a way to enable secure access to all of your company’s e-services and centralised identity repositories – including self-service portals for end-users to view, manage and modify their identity information. This generates transparency in the spirit of GDPR, of which consumers are increasingly aware.

For further reading take a look at our customer and partner study ‘50% of enterprises and system integrators say it is impossible to comply with the GDPR without a centralised identity management solution‘.