Data is an increasingly essential part of Sanoma’s products and services in both Learning and Media Finland. The Group holds large volumes of personal data including that of employees, customers and, in its Learning assessment businesses, students and citizens. Sanoma is subject to the General Data Protection Regulation (GDPR), which sets strict requirements for implementing data subject rights, and for companies to demonstrate their accountability for complying with the regulation. Non-compliance with the GDPR in Sanoma’s business and operations or potential inadequacy of the data protection processes and practices may cause problems, difficulties or additional costs to Sanoma. Any infringement of the GDPR could adversely affect Sanoma’s reputation. Furthermore, under the GDPR, a national data protection authority is vested with the power to impose corrective actions, such as temporary or definitive bans on processing, and to impose administrative fines for breaches of the GDPR up to EUR 20 million or 4% of the total worldwide annual turnover of a company. The Directive on Privacy and Electronic Communications also imposes requirements for online data collection and use.
In addition, Sanoma is exposed to potential data breaches resulting from unauthorised or accidental loss of or access to personal data managed by Sanoma or by third parties processing data on Sanoma’s behalf. For example, Sanoma’s or its third-party suppliers’ systems could be vulnerable to unauthorised access, misuse, breaches due to employee error or malfeasance, computer viruses, attacks by hackers or other similar threats. Data is key in the development of Sanoma’s products and services, as it enables content and learning services to be better tailored to the needs of customers, for example by providing individualised learning paths and even more compelling media content. Continuing the use of data in the future is dependent on maintaining the trust of customers, and potential data breaches could significantly undermine this trust. A data breach could lead to reputational damage which could ultimately lead to Sanoma’s inability to effectively compete for future business and to potential cancellations of existing contracts.
To mitigate these risks, Sanoma runs a privacy programme that monitors development and enforcement of privacy regulations. Sanoma’s key privacy implementation processes include conducting privacy impact assessments, data lifecycle management, negotiating data processing agreements with third parties, information security measures to protect data, data breach management procedures and implementation of data subject rights. However, there can be no assurance that such measures will be successful in ensuring compliance with privacy laws, which could lead to penalties, significant remediation costs and reputational damage, or that data breaches will not occur or, in the event that breaches do occur, that Sanoma will be able to mitigate the effects of such a breach.