Case Vapo

From theory to practice – a preliminary survey helped Vapo internalise the requirements of GDPR

 

 



The EU’s General Data Protection Regulation (GDPR) will enter into force in the spring of 2018. Vapo enlisted the help of Digia in the preparations for the obligations ushered in by GDPR. The measures required from Vapo by GDPR were charted with the Digia Continuous Compliance Fast Track preliminary survey model.

Benefits:

  • A survey of the current state of data protection and information security shows the baseline level.
  • The result of the survey was a clear plan of the concrete action required by the change.
  • The persons in charge of different aspects receive consistent training and tools for implementing the change.
  • Meeting the requirements of GDPR avoids sanctions and creates a strong foundation for secure digital development in the future.


Services and solutions:

Before Digia, no one was really able to convince us that they actually knew what measures we would need to be able to take in practice in order to be compliant. The project was quickly completed, and I can recommend the survey to others.

 

Antti Kleemola, CIO, Vapo



From theory to practice – a preliminary survey helped Vapo internalise the requirements of GDPR

On paper, the EU’s General Data Protection Regulation was nothing new to Vapo. However, the company needed outside help for putting theory into practice. Digia rolled its sleeves up and helped Vapo to the next level with its Continuous Compliance Fast Track preliminary survey model.

Cyber-threats from leaks to blackmail have been in the headlines recently. For companies, such events usually lead to service disruptions and the violation of basic rights and erode trust in the functioning of digital services. The EU has also realised the issues related to information security and data protection, and the new General Data Protection Regulation (GDPR) imposing stricter obligations on companies and corporations will enter into force in the spring of 2018.

Energy company Vapo aims to be the world's best expert in the energy industry. Digitalisation plays a major role in achieving this objective, and Vapo has invested heavily in it. Vapo operates in a regulated industry that is required to react to potential changes in legislation proactively. It was thus only natural that Vapo had put the changes required by GDPR on the agenda as early as in 2015. In the spring of 2017, the company moved from theory to practice with the help of Digia.

Hard work

The security of information is important to Vapo from many different angles. World events have encouraged the company to constantly look for vulnerabilities in its own systems in order to prevent third parties from accessing, for example, the remote control systems of its power plants. In addition, the protection of information has become increasingly important as Vapo is beginning to expand its use of customer data.

”In the past year, we have brought customers closer to our own activities and processes. This also means that we are using much more customer data or customer-generated data in our environments. It is thus vital to ensure that our activities in this area are appropriate and correct”, says Vapo CIO Antti Kleemola.

At the level of theory, Vapo is already familiar with the contents and guidelines of the EU’s General Data Protection Regulation.

”We have organised guidance and training on the subject for our employees. But the actual hard work was still to be done”, Kleemola says.

Help came in the form of Digia’s Continuous Compliance Fast Track preliminary survey model, with which Vapo was able to move from theory to the concrete matters requiring attention so that everything would be compliant upon the entry into force of GDPR.

At the level of theory, Vapo is already familiar with the contents and guidelines of the EU’s General Data Protection Regulation.

Putting aside the threats and going straight to the point

Discussions of the EU’s General Data Protection Regulation often start out with the sanctions. Discussions from the deterrent perspective were familiar to Kleemola. The discussions, held at various seminars, did not lead to concrete action, however.

”Before Digia, no one was really able to convince us that they actually knew what measures we would need to be able to take in practice in order to be compliant”, Kleemola says.

”We really valued that direct approach, going straight to the matter at hand and the concrete measures, instead of potential threats.”

In a two-week survey, Digia’s expert reviewed Vapo’s systems and compiled a summary, based on which the necessary measures were then designed. As a result, Vapo’s data protection officer, IT department and other material actors received bilingual reports with recommendations and a risk map from which Vapo could easily prepare a data balance sheet.

”The survey gave us recommendations for the next measures to take and matters to take into account. In addition to that, we also received confirmation that we had already been doing certain things right and had understood certain matters correctly”, Kleemola says.

Kleemola praises the cooperation with Digia.

”The project was quickly completed, and I can recommend the survey to others. Digia’s expert had an eye for detail and checked uncertain matters immediately from the authorities if need be. They did a great job”, Kleemola concludes.

The survey applied to Vapo’s energy operations in Finland and can be used as a basis for continuing the work in other Group companies in Finland and abroad.

Back to top