Nordic Privacy Arena 2025 – key insights and discussion topics
Nordic Privacy Arena (NPA) is the most significant Nordic conference focusing on data protection and privacy. It is held annually
Data Protection Officer of the Year 2024: Juha Sallinen Still Has Plenty of Work Ahead
GDPR Tech’s entrepreneur and founder, data protection consultant Juha Sallinen, was awarded Data Protection Officer of the Year 2024.
The award is granted annually to a person who exemplarily develops data protection practices and promotes networking, expertise, and the sharing of knowledge across organizational boundaries. The recognition was presented at the Data Protection Day 2025 event on January 28, 2025, organized by Alma Insights and the Office of the Data Protection Ombudsman. The awardees were selected by a panel of experts.
Here is a closer look at Juha’s and GDPR Tech’s journey to this point.
The Journey to Becoming a Data Protection Expert
Juha’s path into data protection has been multifaceted. Before full-time data protection work, Juha worked for nearly 20 years in the IT sector, where he witnessed major technological shifts such as the development of cloud services and the related risks. His experience as a trainer, along with roles at IT company Tieto, HP Enterprise, cybersecurity company Symantec, and data management company Veritas Technologies, built a solid foundation for understanding data protection compliance. His background as an engineer, combined with a later eMBA degree, has provided him with a broader perspective on both technical and business-related questions.
Since 2016, Juha has been an entrepreneur at GDPR Tech, whose core mission is to bring trust to data protection through practical measures. This includes both training and technical actions that help organizations improve their data protection practices.
Photo credit: Alma Insights. From left to right: Reijo Aarnio, Oona Matinpalo, Juha Sallinen, Kimmo Rousku, Ida-Emilia Laasonen.
The Biggest Challenges in Data Protection Work
According to Juha, one of the greatest challenges in data protection work is prioritization – how to allocate time and resources effectively while considering companies’ very different starting points regarding data protection.
“I still see organizations that haven’t even started data protection work,” Juha notes, giving a telling example: “One of the most common passwords in Finland is still ‘salasana’ (‘password’). If that’s the level of security, you can’t assume that data is otherwise properly protected either—or if the password is simply empty – and yes, there are those too. So there is still a lot of work to be done, and my expertise must be put to best use in supporting each client’s individual situation.”
“Between 2016–2018, a lot of misinformation about GDPR circulated, and some of these misconceptions still persist in many companies,” Juha remarks.
He cites as an example the belief that GDPR does not apply to all companies. In reality, GDPR is in one way or another part of every company’s operations. “Of course, common sense should be used—for instance, a sole proprietor in excavation work for a municipality has little to do with personal data. However, if a sole proprietor works as a doctor for a wellbeing services county, then they are already dealing with completely different and much more sensitive information.”
Expertise Means Continuous Learning
Data protection legislation is constantly evolving, and keeping up to date requires regular study and active monitoring. Juha maintains his expertise by attending selected industry seminars, such as Alpine Privacy Days and the Nordic Privacy Arena, which also provide valuable insights into legislative developments in other countries.
Juha highlights an interesting example from South Africa’s POPIA (Protection of Personal Information Act), which contains unusually severe sanctions for data protection violations – ranging from fines (10 million rand) to prison sentences (up to 10 years).
“At the moment, we are monitoring the situation in the United States: will the adequacy decision (Data Privacy Framework) remain in force, will it collapse, or will there be a Schrems III? These decisions would have a direct impact on the U.S.-based services organizations use, such as cloud-based office applications.”
Bringing Out Personal Strengths in Data Protection Work
Data protection work may initially seem like an overwhelming whole, with much to consider from both a legal and technical perspective.
“It’s easy to get overloaded in data protection work,” Juha confirms.
That’s why he encourages professionals to find their own area of specialization and to network with other players in the field. Collaboration and knowledge-sharing are key in a constantly evolving sector.
Data Management at the Core of Data Protection
Juha notes that the EU’s GDPR has already proven to be a kind of “gold standard”, which is referred to in, for example, China’s PIPL and Brazil’s LGPD legislation. At the same time, however, constantly increasing regulation can create overload for many organizations.
“Continuously developing new technologies, such as artificial intelligence in its various forms, bring new challenges to data protection, and their effects will be seen for a long time to come,” Juha reflects.
For 2025, Juha predicts that the biggest data protection theme will be data management. Many data breaches occur because old information is stored without proper management. “The ‘D’ in GDPR—data—must be remembered: in addition to contracts, monitoring and technical measures are needed to protect people’s information,” Juha stresses.
The Daily Life and Future of a Data Protection Professional
To balance his daily data protection work, Juha spends winters snowboarding and summers working on various projects at his countryside home, where he lives.
“If I weren’t working in data protection, I would probably focus even more on data management,” Juha reflects. The last ten years have been very interesting, and data protection continues to provide new challenges and learning opportunities.
The Data Protection Officer of the Year diploma will end up on the wall of Juha’s remote office, serving as a reminder of his long and eventful journey in the field of data protection. He is particularly pleased that he was recognized as an outsourced Data Protection Officer.
Juha also wants to give credit to others in the field: “Everyone working in data protection would deserve similar recognition, as the field is full of skilled and dedicated professionals.”
Finally, Juha compares data protection to his beloved sport, snowboarding—with a twinkle in his eye:
“Data protection practices are not a hindrance, but an opportunity for smoother and safer operations—just like a good snowboard that makes the ride enjoyable instead of slowing you down!”
GDPR Tech congratulates the VAHTI Data Protection Development Working Group for receiving the 2024 Data Protection Act of the Year award.
What's new?
In the blog you will find current information, interesting articles and a lot of detailed information related to data protection.
Read these also
Execute and Maintain the Target | Part 4/4
Data Governance in Action – Implementation and Maintenance Designing a data governance strategy is only the beginning. To truly manage
Design the Target Level | Part 3/4
Unstructured data is growing rapidly, and without a clear governance strategy, organisations risk being overwhelmed by outdated, unmanaged, and potentially