GDPR

Nordic Privacy Arena 2025 – key insights and discussion topics

by

Nordic Privacy Arena (NPA) is the most significant Nordic conference focusing on data protection and privacy. It is held annually in Stockholm and online, bringing together data protection officers, authorities, lawyers, activists, and privacy professionals to discuss the latest developments in the field.

The 2025 conference took place on 29–30 September at the Münchenbryggeriet venue. The theme was “Ten years of progress, responsibility for the future,” celebrating the tenth anniversary of the event and focusing on the changing landscape of privacy – from AI governance to digital sovereignty.

GDPR Tech participated in the event for the third time and was also a sponsor this year. Juha Sallinen and Jaanaliisa Kuoppa attended the conference in person, and in this article they share the key takeaways and their own observations.

AI, oversight, and sandboxes – Sweden’s approach interests Finland

Sweden’s new Data Protection Authority Commissioner Eric Lejonram delivered the most impactful keynote of the event. He emphasised risk-based governance of AI and the need for stronger safeguards alongside high-risk technologies.

Jaanaliisa Kuoppa summarised her view as follows:

“From a Finnish perspective it was noteworthy that Lejonram highlighted sandboxes and oversight mechanisms. In Sweden these have been in place for years – in Finland the work is still ongoing.”

The status of Finland’s AI sandboxes remains open. According to Traficom (14 October 2025), “Work is underway in Finland and the national implementation model is still open.” Haaga-Helia is participating in the EU’s EUSAir sandbox project, which may accelerate practical progress.

Juha Sallinen commented directly on the situation:

“Finland’s AI sandboxes are still at a weak level. Compared to Sweden, we are clearly behind.”

Max Schrems – the realisation of GDPR fines

The conference also featured one of the most recognised figures in the field, Max Schrems, who highlighted an important and worrying observation: while significant GDPR fines have been issued in Europe, only a fraction of them have actually been collected.

Max Schrems

Schrems also pointed out that courts remain reluctant to take on data protection cases. Their technical complexity is understandable, but this undermines both the credibility and the enforcement of the GDPR.

Digital sovereignty – realism or European optimism?

One of the most discussed themes was digital sovereignty: how Europe can maintain independence and capability in technology when the United States dominates the landscape of AI and cloud services.

In one panel, Bill Clinton was quoted: “Pessimism is an excuse for not trying.”

Juha Sallinen shared his perspective:

“There are alternatives in Europe. Finland has skilled software providers and data centres. OVHcloud is a good example of a European provider offering both infrastructure and SaaS environments. But realism matters – replacing Microsoft Office with LibreOffice would reduce productivity in many organisations.”

Swedish expert Daniel Melin summarised Europe’s situation succinctly: “We have outsourced our core to other states.”

Jaanaliisa Kuopa considered Melin’s proposal the most practical contribution of the conference:

“His solution was simple – the public sector should purchase more European systems. This means adjusting procurement legislation to favour European alternatives.”

The Draghi Report and regulatory simplifications: necessary or harmful?

The conference also discussed the Draghi Report and the GDPR simplification proposals based on it, including raising the employee threshold from 250 to 750.

Jaanaliisa Kuoppa commented candidly:

“From a Finnish perspective that increase is quite drastic. The 250-employee threshold is justified – a company with 200 employees already processes large amounts of staff, customer, and partner data.”

Juha Sallinen saw cosmetic aspects in the change:

“If larger companies are sensible, they will require their subcontractors to maintain at least a basic level of data protection anyway. The change does not remove responsibility.”

Panels also explored the broader question: is Europe stifling itself with regulation, or does the “Brussels effect” force global service providers to comply with EU requirements? This trend is already visible, for example, in India’s new data protection law, which is largely modelled on the GDPR.

Technologies that forgot privacy

Anna Berlee highlighted examples of technologies where privacy took a back seat:

  • Google Glass, whose users became known as “Glassholes”
  • Clearview AI, which Finnish police used without an adequate security assessment (the National Bureau of Investigation received a reprimand in 2021)

These cases remind us why privacy must be considered already at the design phase of technology.

Sport Admin – an example of what happens when data protection fails

Juha Sallinen took part in a panel discussing the data breach involving the Swedish Sport Admin platform. The case concerned the processing of children’s and guardians’ data – and illustrated what can happen when data protection and security are not handled with sufficient care.

A separate blog article on this topic will follow.

Why should Finns attend NPA?

Once again, few participants came from Finland, but attending is highly worthwhile.

Jaanaliisa Kuoppa summed up the reason:

“Absolutely worth it! The GDPR is not a Finnish invention. Meeting European experts face-to-face was truly eye-opening. And we Finns should probably start recognising that Sweden is actually a very good neighbour.

NPA 2025 offered:

  • an up-to-date view of the intersection of AI and privacy
  • insights into digital sovereignty
  • discussion on GDPR simplifications and their implications
  • concrete examples of why data protection remains critical
  • valuable networking with European experts

The event once again demonstrated how quickly the privacy and data protection landscape is evolving – and why Nordic cooperation is more important than ever.

Would you like to learn more about data protection or discuss the themes of the event?

Contact us – let’s continue the conversation and explore how your organisation can strengthen data protection and security in a practical and effective way.

Execute and Maintain the Target | Part 4/4

by

Data Governance in Action – Implementation and Maintenance

Designing a data governance strategy is only the beginning. To truly manage unstructured data, organisations must implement their plans, monitor compliance, and continuously improve. Execution and maintenance are where theory meets reality—and where many organisations struggle.

Access Control – Who Can See What?

One of the most overlooked risks in unstructured data management is access control. On network drives, permissions are often misconfigured. For example:

  • A folder may grant “Full Control” to the group “Everyone”
  • File-level permissions may include “Domain Users”

This effectively gives all employees the ability to access, modify, or delete sensitive files. Such basic misconfigurations are often the root cause of internal data breaches.

In cloud environments like Microsoft 365 or SharePoint, external sharing adds another layer of risk. Without proper controls, users may accidentally share personal data outside the organisation.

Best Practices for permissions:

  • Replace “Everyone” with “Authenticated Users”
  • Limit access at both share and file levels
  • Regularly audit permissions and remove unused access
  • Use identity management tools (IDM) to enforce policies

File Sharing – Internal and External Risks

File sharing is essential, but tools such as Box, Dropbox, or WeTransfer must be vetted. Conduct a Data Protection Impact Assessment (DPIA) and ensure data processing agreements are in place.

In Microsoft 365 and Google Workspace, sharing settings can be controlled at site or folder level. However, users must be trained to:

  • Set expiration dates for shared links
  • Avoid anonymous or external sharing unless explicitly allowed
  • Understand what data is safe to share

A real-world example: In a municipal education environment, over 16,000 internal sharing links were identified. The major concern was anonymous and external links, some of which exposed personal data to third parties.

Content Classification and Labelling

Governance begins with understanding what you are managing. Content classification tools can detect sensitive information—such as personal identifiers, financial records, or regulated terms. Labels (e.g. “Contains SSN”, “PII”, “Contractual”) enable automation, retention enforcement, and risk mitigation.

Organisational labels (e.g. “HR”, “Internal”, “Confidential”) help contextualise data for access control and policies. These can be applied manually or automatically, based on metadata or folder structure.

AI Without Data Awareness Is a Risk

AI tools such as Microsoft Copilot or ChatGPT are powerful—but risky if used without a clear view of your data landscape.

If unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data “as-is” to Microsoft 365 or Google Workspace is common—but risky. Simply moving unmanaged files to the cloud does not reduce risk. Old formats remain unsupported, and sensitive data remains exposed unless actively governed.

Migration must be paired with classification, clean-up, and policy enforcement.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing. Legacy file servers lack classification, access auditing, and retention enforcement by default. Third-party tools can help, but require planning and investment.

Conclusion

Executing and maintaining a data governance strategy requires more than policies—it demands tools, training, and ongoing oversight.

By automating clean-ups, auditing permissions, and educating users, organisations can turn governance plans into sustainable practices.

And remember: AI can be transformative, but only when built on a foundation of clean, classified, and controlled data.

This is the final part of our 4-part series on unstructured data. Read all posts in the series here.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

Would you like to discuss how to put these practices into action in your organisation? Contact our experts

Unstructured Data and Its Challenges | Part 1/4

by

Introduction

Unstructured data makes up the majority of information in organisations—often more than 80%. Unlike structured data in databases, unstructured data includes emails, documents, spreadsheets, images, videos, and even AI-generated content. It is scattered across systems, unmanaged, and frequently contains sensitive personal data.

What Is Unstructured Data?

Unstructured data refers to information that lacks a predefined format or organisational structure. Examples include job applications and CVs stored as free-text documents, event registration forms with open-ended responses, and emails with attachments containing personal identifiers. These files are typically saved on network drives, cloud platforms, or local devices—often without consistent naming conventions, metadata, or retention policies.

The Scale of the Problem

Studies show that unstructured data accounts for up to 90% of all organisational data. Worse, much of it is “dark data”—information that is collected but never used or properly managed. This leads to increased storage costs, compliance risks under regulations like GDPR, and difficulty in locating and securing sensitive information. To give an example of the scale, one terabyte of data in an unstructured format, contains around one million files.

More than 80% of organisational data is unstructured

1 TB ~1 million unstructured files

Why It Matters

Unstructured data often contains personal information, such as health details or national ID numbers. Without proper controls, this data can be exposed, misused, or retained far longer than legally permitted. GDPR mandates data minimisation and purpose limitation—organisations must only collect and retain data that is necessary. A real-world example: A folder labelled ‘Project Applications’ contained anaesthesiologist CVs from 2004, including personal IDs. These files had no valid retention basis and should have been deleted or moved to a secure HR system years ago.

Content Classification Is Essential

Effective data governance starts with knowing what you are managing. Content classification tools help identify sensitive information, such as personal data, financial records, or confidential terms. Without classification, organisations cannot reliably enforce retention, access, or deletion policies.

Classification is the foundation for automation, compliance, and risk reduction. In the following small supplier data overview, organisations had thousands of items requiring deeper analysis. Notably, organisations were also sharing data externally, even via anonymous links—and as we validated, none of these links had expiration dates. The analysis was created with AvePoint Insights and Policies.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT offer powerful capabilities—but using them without understanding your data landscape is dangerous. If your unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Environment Limitations

It is important to note that environments like Microsoft 365 and Google Workspace offer different governance features depending on licensing level. Legacy file servers, by default, lack most governance capabilities—such as version control, access auditing, or classification. These features can be added using third-party tools, but require planning and investment.

Conclusion

Unstructured data is not just a technical challenge—it is a strategic imperative.

Organisations must invest in tools, processes, and awareness to ensure that this vast and growing data pool is secure, compliant, and useful. Without content classification and governance, even the best AI tools can become a burden.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

This is Part 1 of our 4-part series on unstructured data. In the next articles, we’ll go deeper into practical methods for managing and governing it.

About Rigacomm, people & robots

by

Off we went with Juha to Rigacomm, the biggest business and IT technology fair in Baltics arranged this year on Oct 11 to 12. Our stand was strategically located between coffee area demonstrating InOut cloud-based queueing system and Diatom stand occupied by interactive robot, near digital marketing stage. So we received our fair share of visitors which was nice.

In quite a few conversations I ended up explaining the significance of GDPR legitimate interest and balancing test. There is no legal requirement to ask for marketing consent from customer on customer list when certain (broadly set) conditions are met. Of course regular explicit opt-our is still mandatory.

There were also many questions about what our technical solutions for GDPR are and do we develop those ourselves (answer being yes, but no for software). So, more discussions about dark data assessment in different environments (fileserver, SharePoint, O365, other cloud-based environments). There is no single patent solution for all cases. We are offering solutions based on Veritas, Varonis and Micro Focus software.

As there were vivid discussions on our SMB start package content and implementation and the effort and commitment it takes from customer organization as well (we go deep inside to verify), there was not as much time for discussions about data flow modeling ”beef” as I would have liked.

As contrast for GDPR discussions in our booth, there were two generally available robots around in the fair. I overheard someone asking the lobby robot: ”Do you like Robocop?” That confused the robot more or less (and amused me). I wonder if the robots were set to collect and store questions made by people this time. That could be really interesting machine learning data as I assume human imagination in the end is still supreme to what any machine could possibly produce.

I also had a really nice discussion with a lady who was tired of all that information available and GDPR in particular. It’s no surprise GDPR doesn’t have a good echo as so many misunderstandings and even disinformation about it around. She was open about her frustration and then we ended up talking about chocolate and ice cream. That’s what we humans are like and I appreciate it.

GDPR is almost here – Here’s a last minute checklist!

by

GDPR deadline is less than a month away. The two year transition time is almost used up. The General Data Protection Regulation, GDPR, regulates data processing strictly compared to the previous laws. What are the steps organizations should have taken? These are some of the important things your organization should do:

 Is your company processing or controlling large amount of data? Make sure that you have Data Protection Officer named if you do.

 If your organization operates in several European countries, appoint leading DPO.

 Document the data processing of personal data. Go through all the phases from the collection to the disposal of the data.

Make sure what are the lawful basis behind the data collection, controlling or processing. Do notice that the basis does not have to always be direct opt-in. ICO has just recently released useful guidance tool for lawful basis that can be found from here.

What kind of risks could be involved in the data processing in your organization? Make sure to have a mitigation plan.

Get ready for data subject access requests. Update your processes to make GDPR compliance more automatic. Is your organization ready to find the data if need?

Make sure your data security is up to date. Get also ready to announce possible data breaches.

Check the GDPR readiness of your partner organizations and service providers and update your contracts.

If you process or control data of minors, make sure to check the special requirements you need to meet.

Many parts of this checklist can be filled by our Start package. The package works as a fast lane for GDPR compliance! Check also Gap analysis by our partner IT Governance! It will provide a detailed breakdown by area of your compliance status, and an action plan that sets out and prioritizes the key issues that your organization must address to become compliant.

If you have not started yet with GDPR compliance – this is the time you should start!


Contact us for more information!