Go to blogs

What today’s threat landscape means for data protection leaders

IP & Data
Data & Tech

As today on 28th January marks the annual Data Protection Day, proper data security remains a key priority. Personal data has become more valuable and more exposed to risk. This article explains what GDPR Article 32 requires and offers insights for Finnish organizations of all sizes. Today is a good time to ask: is your organization ready for a data security incident?

More and more organizations now store data in the cloud, use SaaS platforms and collaboration tools, and rely on AI-powered systems. Data is spread across more places, more people have access to it, and third-party vendors play a bigger role than ever. Meanwhile, cybercriminals have become more sophisticated, using automation and persistent attack methods.

Cyberattacks are now a fact of life for most organizations. Threats are evolving faster than ever and staying protected takes ongoing effort. What worked last year may not work today. Too often, organizations only improve their security after something goes wrong.

The GDPR requires organizations to protect personal data. Article 32 is one of the most important provisions as it sets out what security measures your organization need to have in place.

Article 32 applies to any organization that processes personal data. In practice, this means almost every company in Finland—from small online shops and sports clubs to municipalities and large corporations. The GDPR defines two main roles:

  • Controllers decide why and how personal data is processed (for example, an employer keeping employee records), and
  • Processors handle personal data on behalf of controllers (for example, an external payroll provider).

This distinction matters because it determines who is responsible for what. Both controllers and processors must meet the requirements of Article 32.

Article 32 also raises a key question: can you explain and justify how your organization protects personal data, especially when systems, vendors, and threats keep changing? How does your organization keep security measures up to date as technology and risks evolve?

Requirements under Article 32

Article 32 does not demand perfect security. What it does require is good decision-making, appropriate technical and organizational measures, and ongoing oversight. Your organization needs to review, test, and update security as your organization, processes, technology and risks evolve. A ‘set and forget” approach will not cut it.

Personal data lives in your systems, is accessed by people, and is often processed in ways that are hard to track. AI and automation have made this data more valuable—and more vulnerable. What was good enough yesterday may not be good enough today.

The GDPR states that security measures must match the level of risk. What counts as ‘appropriate’ will change as your organization, technology, and threats evolve. To ensure your organization is compliant, you need documented evidence that you regularly assess and update your security. The burden of proof falls on the controller. At the same time, authorized users must still be able to access personal data when they need it. Your system must also be able to handle disruptions and recover quickly.

Data security is a governance issue

Data security is not just a technical issue—it is a leadership responsibility.

When a data breach happens, the first questions are not about technology. Questions come from customers, senior management, and the board:

  1. What was the cause of this incident?
  2. What is the potential damage to the business?
  3. Were the risks properly identified and assessed?
  4. Could this have been prevented with reasonable measures?

In these situations, what matters most is not whether you had the right tools, but whether leadership was actively involved in data protection. Some breaches happen because of unclear accountability, outdated assumptions about security, or risks that were never reassessed. On the other hand, some breaches happen because of mishandling personal data.

Practical example: The Vastaamo case

The Vastaamo case shows what can happen when data security fails. In 2020, hackers broke into the systems of a Finnish psychotherapy provider and stole tens of thousands of sensitive patient records. They then used these records to extort both the company and individual patients. The Finnish Data Protection Ombudsman fined the company EUR 608,000 for failing to meet Article 32 requirements—including weak encryption, poor log monitoring, and inadequate access controls. The breach destroyed public trust and ultimately led to Vastaamo’s bankruptcy.

How we can help

We help organizations turn GDPR requirements into practical steps that hold up under regulatory scrutiny and reflect today’s technology and threats. We focus on security that works in practice.

  1. We assess your data protection against real risks, not just what is written in your policies.
  2. We find gaps between what you think is protected and what actually is.
  3. We help you build governance structures that grow with your organization.
  4. We prepare you to answer confidently when authorities, customers, or the board ask questions.
  5. We help you show that your Article 32 compliance is solid and defensible.

This Data Protection Day, ask yourself: could you explain and defend your data protection measures if authorities, customers, or the board asked you to?

Key contacts

Otto Michelsen

Senior Associate

+358 50 491 2292

otto.michelsen@eversheds.fi

Otto Michelsen is an expert in ICT contracts, data protection, and the legal aspects of emerging technologies. He is particularly skilled at guiding clients through data protection compliance, handling authority inquiries, and managing data-related disputes. Otto actively monitors the evolving EU data regulatory landscape and advises international organizations on how upcoming regulations impact their operations. He also supports companies in establishing effective data governance practices.

In addition, Otto has hands-on experience in building compliance programs and navigating complex scenarios involving sanctions legislation.

He holds the CIPP/E and CIPM certifications in data protection, awarded by the International Association of Privacy Professionals (IAPP).

Hanna Saksa

Associate

+358 40 588 7589

hanna.saksa@eversheds.fi

The materials on the Eversheds Sutherland website are for general information purposes only and do not constitute legal advice. While reasonable care is taken to ensure accuracy, the materials may not reflect the most current legal developments. Eversheds Sutherland disclaims liability for actions taken based on the materials. Always consult a qualified lawyer for specific legal matters. To view the full disclaimer, see our Terms and Conditions or Disclaimer section in the footer.

Related content

Blogs
IP & Data

Entering Finland’s Licensed Gambling Market: Managing Patent and Registered Design Risk
Events
IP & Data | M&A

The New Playing Field of M&A – Value from Data, Protection from IPR, Direction from Regulation
Blogs
IP & Data

The AI Act and Management Responsibilities
Blogs
IP & Data

The Data Act: Compliance Challenge or Growth Opportunity?
Cases
Competition Law | Employment | IP & Data | M&A | Tax

Kaleva Media and Ilkka to Merge Media Operations in Strategic Share Exchange
News
Dispute Resolution | IP & Data | M&A

Eversheds Sutherland Recognized in Chambers Global 2025 Rankings