New stricter EU rules on data protection were adopted in May 2016 and will be fully effective within all EU countries as from May 2018.  The new rules will include fines for non-compliance which can be significant. As the maximum fines can be 4 % of the global turnover of the failing company there can be significant amounts at stake. Two years transition time may seem like a long period, but considering the potential need to update large and complex IT-systems, like HR, ERP and CRM systems, it is time to start-up with gap analysis and change projects. Some companies will have a lot to do the next two years if they want to minimize the risk for large fines.

”My impression is that many companies have viewed compliance with the data protection laws as a goal rather than a strict ”must have”. The good intention may be there, but the necessary efforts and resources are not allocated to make it happened. With the limited resources of the data protection authorities in the Nordics it has been possible to fly under the radar. However, the new level of sanctions will likely change that view” says Leif Frykman, one of the founders of LegalWorks.

With the new data protection landscape in mind Laissa Oy and LegalWorks have conducted a survey on data protection readiness. The survey is part of The Nordic GC Survey project which covers benchmark topics of interest for the Nordic general counsels and chief legal officers.

The survey covered 69 legal teams in Finland, Denmark and Sweden in many different industries, most of them were publically listed companies.

Although there is almost a consensus among the GCs that the importance of data protection issues are increasing (97 %) the overall readiness for GDPR is rather low.  Here are some data points:

• CLO/GC are often responsible for privacy in company management, Data Protection Officers also pretty common
• Two thirds of the companies did not have anyone employed at their company who deals solely with data protection or privacy issues
• 49% of the legal teams were actively engaged but not primarily responsible for privacy and data protection issues, 32% of the legal teams were responsible for them
• Less than 19% of the companies had not yet started to prepare for the new EU GDPR regulation
• 36% of the companies had not started to train their people on privacy and data protection issues and improving awareness
• 24 % of the companies do not have a privacy policy in place

”It seems clear from the survey that the GCs understand that something is coming, but not exactly what they need to do and who shall be responsible to drive this forward. My view is that the GCs and the legal teams need to exercise some leadership – not necessarily to take on the project leadership role, but rather to ensure that the internal stakeholders, like HR, IT and marketing, understand the challenge and take on ownership for their own systems.” says Axel Tandberg, one of LegalWorks data protection experts.

A comparison between Sweden, Denmark and Finland showed some interesting differences and that Finland is in the lead when it comes to data protection compliance.

” It is time to get out of the starting blocks. Based on the survey it seems like most GCs hope for a Usain Bolt-like finish.” says Jorma Vartia , CEO of Laiisa Oy and one of the founders of the Nordic GC Survey”.

If you want a copy of the report from the Nordic GC Survey please contact Ulf Lindén at [email protected]