Greetings from the Nordics!

The final countdown has started for the implementation of the General Data Protection Regulation. A few days ago, a headline in the local newspaper, Helsingin Sanomat, stated that, “Data protection is tuned in a hurry.” I guess this is true for many stakeholders even if that should not be the case.

In early March, we celebrated the 30th anniversary of data protection and privacy laws here in Finland. Sweden has even longer history with the data protection and privacy laws compared to Finland, and the roots in Sweden go all the way to the early 1970s. By coincidence, timing could have not been better, since the topic has been actively discussed for the obvious reasons. In addition, this illustrates that the GDPR is not actually creating new rules, but only updating the existing laws to correspond with today’s society.

It is very rare that we, privacy professionals, could say that our work is simply local. Even if we engage ourselves with certain a country and with a certain organization, at the end of the day, what we do is very global. Our business partners or clients are based around the globe, and the services we buy or use are oftentimes offered from another country. Along with the GDPR, we also get a piece of legislation that applies not only in one country but within the European Union. Even if the requirements will be harmonized within the EU, we still have our own culture and national characteristics that have an impact on everything we do. Let me use the Finns as an example: The website www.visitfinland.com describes us (among other things) as genuine — we mean what we say. This applies not only among our family and friends, but also in our trust of government and authorities, which is on a very high level. The same applies with all Nordic countries.

We all here in the Nordics have similar worldviews and cultures, but we are still different — especially if we compare ourselves to the continent. We are very technology-oriented and skillful people. Several success stories have been created in the Nordics and people around the globe are enjoying those services — Angry Birds and Spotify just to mention two of them.

I was invited to speak for that 30th anniversary celebration that we had in early March. The Ministry of Justice wanted to mark this achievement together with the data protection authority and different stakeholders who are actively working in this field, and I participated not only because I have a background with working at the Finnish data protection’s authority’s office but also because of my role as an IAPP’s country leader for the Nordics. Instead of having a typical presentation, I prepared a speech that highlighted, among other things, the global working environment of privacy professionals and development of privacy profession. But my main message was a story about HeLa cells, which touched me deeply when I heard an opening speech at the IAPP Global Summit in Washington, in the spring of 2017, given by Rebecca Skloot. A message that I wanted to make with this story was that it is self evident that we have to comply with the legal requirements related to data processing activities — in a way that is easy. But to reach into the second level, we should think what is the right thing to do — ethical issues related to processing personal data. I personally want to lead this discussion and encourage all privacy professionals not only to think what is legally right but also about what the right thing to do is!