Data protection risks and related regulation

Personal data might be

• viewed without cause either accidentally or on purpose
• handled in systems that do not meet up-to-date requirements
• handled in such a way that the processing is not properly planned, documented and carried out.

Data can be stored for unnecessarily long periods of time in places that have no proper supervision over the processing, such as on network disks that do not store and use log data.

A typical example is that the organisation stores personal data for which it no longer has an appropriate purpose of use and in such places that have no systematic supervision. For example, personal data may be forgotten on network disks, emails or on the staff’s own computers.

In the event of a data security incident, the attacker may then gain access to a larger amount of data than would have been possible with the appropriate storage of personal data.

Risks related to data protection might not be investigated due to urgency or lack of resources, for example. Similarly, they might have left out the impact assessment of personal data, or the examination of the processors’ supply chains.

In that case, the controller faces the realised risk where it does not know what kind of risks apply to data protection and personal data. From the perspective of the data subject, there is a risk that the processing of personal data does not comply with the principles of data protection.

When the risks have not been identified

• information security deviations might not be detected
• impacts on the organisation and data subjects may come as a surprise and
• the effects may be more severe than would have been possible by following good data protection practices.

Even good risk management of digital security, data protection and information security cannot eliminate all risks to data protection and the processing of personal data.

Some of the risks can be eliminated, while for others, the impacts or probability of the realisation of the risk, or both, can be reduced. However, certain residual risks remain. For this reason, processes related to precautionary measures and continuity management should be planned in case the identified risks are triggered: what to do when a risk becomes real?

Acts specifying which personal data the municipality must process, why and for how long:

• Local Government Act
• Act on Early Childhood Education and Care
• Basic Education Act
• Land Use and Building Act
• Archives Act.

Provisions specifying which personal data the central government must process, why and for how long are laid down in legislation related to

• taxation
• judiciaries
• police operations
• military operations, and
• sectors of different ministries.

Acts that define the activities of higher education institutions and their purposes of processing personal data include

• acts and decrees on universities of applied sciences and
• the Universities Act.

Legislation specifying which personal data a wellbeing services county must process, why and for how long include

• Act on Wellbeing Services Counties and
• Act on Organising Healthcare and Social Welfare Services.

This is often the case when

• the organisation uses cloud services
• the organisation’s service supply chain or parts of it are located outside the European Union or the European Economic Area, or
• the organisation has stakeholders that are active in third countries.

If personal data under the responsibility of the controller organisation is processed in countries outside the EU or EEA (third countries), the controller must ensure that the legislation of the target country or countries is at the level required by the EU General Data Protection Regulation.

You can conduct a Transfer Impact Assessment (TIA) to ensure this objective. The controller organisation must assess the state of legislation in the target country. In other words, it must carry out an assessment related to the transfer of data whenever it recognises that the personal data it processes is or can be transferred

• to third countries, that is, countries which are not part of the European Union or the European Economic Area, or
• to parties to which the European Commission has not adopted an adequacy decision (meaning parties to which it has not issued a decision on the adequacy of the protection of personal data).

An adequacy decision may concern a specific country, territory, sector or international organisation of the European Union and the European Economic Area.

• Read more about the adequacy decision and actors who have received it on the Data Protection Ombudsman’s websiteOpens in a new window..
• Read more about the TIA and tools for carrying it out on the International Association of Privacy Professionals (IAPP) websiteOpens in a new window..