Nordic Privacy Arena 2025 – key insights and discussion topics

by

Nordic Privacy Arena (NPA) is the most significant Nordic conference focusing on data protection and privacy. It is held annually in Stockholm and online, bringing together data protection officers, authorities, lawyers, activists, and privacy professionals to discuss the latest developments in the field.

The 2025 conference took place on 29–30 September at the Münchenbryggeriet venue. The theme was “Ten years of progress, responsibility for the future,” celebrating the tenth anniversary of the event and focusing on the changing landscape of privacy – from AI governance to digital sovereignty.

GDPR Tech participated in the event for the third time and was also a sponsor this year. Juha Sallinen and Jaanaliisa Kuoppa attended the conference in person, and in this article they share the key takeaways and their own observations.

AI, oversight, and sandboxes – Sweden’s approach interests Finland

Sweden’s new Data Protection Authority Commissioner Eric Lejonram delivered the most impactful keynote of the event. He emphasised risk-based governance of AI and the need for stronger safeguards alongside high-risk technologies.

Jaanaliisa Kuoppa summarised her view as follows:

“From a Finnish perspective it was noteworthy that Lejonram highlighted sandboxes and oversight mechanisms. In Sweden these have been in place for years – in Finland the work is still ongoing.”

The status of Finland’s AI sandboxes remains open. According to Traficom (14 October 2025), “Work is underway in Finland and the national implementation model is still open.” Haaga-Helia is participating in the EU’s EUSAir sandbox project, which may accelerate practical progress.

Juha Sallinen commented directly on the situation:

“Finland’s AI sandboxes are still at a weak level. Compared to Sweden, we are clearly behind.”

Max Schrems – the realisation of GDPR fines

The conference also featured one of the most recognised figures in the field, Max Schrems, who highlighted an important and worrying observation: while significant GDPR fines have been issued in Europe, only a fraction of them have actually been collected.

Max Schrems

Schrems also pointed out that courts remain reluctant to take on data protection cases. Their technical complexity is understandable, but this undermines both the credibility and the enforcement of the GDPR.

Digital sovereignty – realism or European optimism?

One of the most discussed themes was digital sovereignty: how Europe can maintain independence and capability in technology when the United States dominates the landscape of AI and cloud services.

In one panel, Bill Clinton was quoted: “Pessimism is an excuse for not trying.”

Juha Sallinen shared his perspective:

“There are alternatives in Europe. Finland has skilled software providers and data centres. OVHcloud is a good example of a European provider offering both infrastructure and SaaS environments. But realism matters – replacing Microsoft Office with LibreOffice would reduce productivity in many organisations.”

Swedish expert Daniel Melin summarised Europe’s situation succinctly: “We have outsourced our core to other states.”

Jaanaliisa Kuopa considered Melin’s proposal the most practical contribution of the conference:

“His solution was simple – the public sector should purchase more European systems. This means adjusting procurement legislation to favour European alternatives.”

The Draghi Report and regulatory simplifications: necessary or harmful?

The conference also discussed the Draghi Report and the GDPR simplification proposals based on it, including raising the employee threshold from 250 to 750.

Jaanaliisa Kuoppa commented candidly:

“From a Finnish perspective that increase is quite drastic. The 250-employee threshold is justified – a company with 200 employees already processes large amounts of staff, customer, and partner data.”

Juha Sallinen saw cosmetic aspects in the change:

“If larger companies are sensible, they will require their subcontractors to maintain at least a basic level of data protection anyway. The change does not remove responsibility.”

Panels also explored the broader question: is Europe stifling itself with regulation, or does the “Brussels effect” force global service providers to comply with EU requirements? This trend is already visible, for example, in India’s new data protection law, which is largely modelled on the GDPR.

Technologies that forgot privacy

Anna Berlee highlighted examples of technologies where privacy took a back seat:

  • Google Glass, whose users became known as “Glassholes”
  • Clearview AI, which Finnish police used without an adequate security assessment (the National Bureau of Investigation received a reprimand in 2021)

These cases remind us why privacy must be considered already at the design phase of technology.

Sport Admin – an example of what happens when data protection fails

Juha Sallinen took part in a panel discussing the data breach involving the Swedish Sport Admin platform. The case concerned the processing of children’s and guardians’ data – and illustrated what can happen when data protection and security are not handled with sufficient care.

A separate blog article on this topic will follow.

Why should Finns attend NPA?

Once again, few participants came from Finland, but attending is highly worthwhile.

Jaanaliisa Kuoppa summed up the reason:

“Absolutely worth it! The GDPR is not a Finnish invention. Meeting European experts face-to-face was truly eye-opening. And we Finns should probably start recognising that Sweden is actually a very good neighbour.

NPA 2025 offered:

  • an up-to-date view of the intersection of AI and privacy
  • insights into digital sovereignty
  • discussion on GDPR simplifications and their implications
  • concrete examples of why data protection remains critical
  • valuable networking with European experts

The event once again demonstrated how quickly the privacy and data protection landscape is evolving – and why Nordic cooperation is more important than ever.

Would you like to learn more about data protection or discuss the themes of the event?

Contact us – let’s continue the conversation and explore how your organisation can strengthen data protection and security in a practical and effective way.

Execute and Maintain the Target | Part 4/4

by

Data Governance in Action – Implementation and Maintenance

Designing a data governance strategy is only the beginning. To truly manage unstructured data, organisations must implement their plans, monitor compliance, and continuously improve. Execution and maintenance are where theory meets reality—and where many organisations struggle.

Access Control – Who Can See What?

One of the most overlooked risks in unstructured data management is access control. On network drives, permissions are often misconfigured. For example:

  • A folder may grant “Full Control” to the group “Everyone”
  • File-level permissions may include “Domain Users”

This effectively gives all employees the ability to access, modify, or delete sensitive files. Such basic misconfigurations are often the root cause of internal data breaches.

In cloud environments like Microsoft 365 or SharePoint, external sharing adds another layer of risk. Without proper controls, users may accidentally share personal data outside the organisation.

Best Practices for permissions:

  • Replace “Everyone” with “Authenticated Users”
  • Limit access at both share and file levels
  • Regularly audit permissions and remove unused access
  • Use identity management tools (IDM) to enforce policies

File Sharing – Internal and External Risks

File sharing is essential, but tools such as Box, Dropbox, or WeTransfer must be vetted. Conduct a Data Protection Impact Assessment (DPIA) and ensure data processing agreements are in place.

In Microsoft 365 and Google Workspace, sharing settings can be controlled at site or folder level. However, users must be trained to:

  • Set expiration dates for shared links
  • Avoid anonymous or external sharing unless explicitly allowed
  • Understand what data is safe to share

A real-world example: In a municipal education environment, over 16,000 internal sharing links were identified. The major concern was anonymous and external links, some of which exposed personal data to third parties.

Content Classification and Labelling

Governance begins with understanding what you are managing. Content classification tools can detect sensitive information—such as personal identifiers, financial records, or regulated terms. Labels (e.g. “Contains SSN”, “PII”, “Contractual”) enable automation, retention enforcement, and risk mitigation.

Organisational labels (e.g. “HR”, “Internal”, “Confidential”) help contextualise data for access control and policies. These can be applied manually or automatically, based on metadata or folder structure.

AI Without Data Awareness Is a Risk

AI tools such as Microsoft Copilot or ChatGPT are powerful—but risky if used without a clear view of your data landscape.

If unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data “as-is” to Microsoft 365 or Google Workspace is common—but risky. Simply moving unmanaged files to the cloud does not reduce risk. Old formats remain unsupported, and sensitive data remains exposed unless actively governed.

Migration must be paired with classification, clean-up, and policy enforcement.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing. Legacy file servers lack classification, access auditing, and retention enforcement by default. Third-party tools can help, but require planning and investment.

Conclusion

Executing and maintaining a data governance strategy requires more than policies—it demands tools, training, and ongoing oversight.

By automating clean-ups, auditing permissions, and educating users, organisations can turn governance plans into sustainable practices.

And remember: AI can be transformative, but only when built on a foundation of clean, classified, and controlled data.

This is the final part of our 4-part series on unstructured data. Read all posts in the series here.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

Would you like to discuss how to put these practices into action in your organisation? Contact our experts

Design the Target Level | Part 3/4

by

Unstructured data is growing rapidly, and without a clear governance strategy, organisations risk being overwhelmed by outdated, unmanaged, and potentially sensitive information. Designing a target level for data governance is essential—not just for compliance, but for operational efficiency, cost control, and AI readiness.

Start with a Plan

The lifecycle of unstructured data should follow a structured model:
Plan → Do → Check → Act

  • Plan: Define what data is collected, from whom, and for what purpose. Consider mergers, reorganisations, and legacy systems that may introduce risks.
  • Do: Implement storage practices in appropriate systems—HR platforms, cloud libraries, or network drives.
  • Check: Regularly audit data age, access rights, and compliance with retention policies.
  • Act: Remove or manage data that has reached the end of its lifecycle.

Define Ownership, Retention, and Labelling

Every data type should have a designated owner, retention period, and storage location. For example:

  • Job applications → Owner: HR → Retention: 6 months → Location: Sympa HR system
  • Customer complaints → Owner: Legal → Retention: 2 years → Location: a secure document repository

In addition to ownership and retention, high-level labelling (e.g. “HR”, “Internal”, “Confidential”) helps contextualise data for access control and policy enforcement. These labels can be applied manually or automatically based on metadata, folder structure, or file content.

Content Classification Is Essential

Governance begins with knowing what you’re managing. Content classification tools scan files to detect sensitive information—such as personal identifiers, financial records, or regulated terms. These labels (e.g. “Contains SSN”, “PII”, “Contractual”) enable automation, retention enforcement, and risk mitigation. Classification is also a prerequisite for safe and effective AI use.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT offer powerful capabilities, but using them without a clear understanding of your data landscape is risky. If your unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data to the cloud “as-is” is common—but risky. Moving unmanaged files to Microsoft 365 or Google Workspace does not reduce risk or modernize content. Old formats (e.g. Lotus 1-2-3, Word 2) remain unsupported, and sensitive data remains exposed unless actively governed. Migration must be paired with classification, clean-up, and policy enforcement.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing level. Legacy file servers, by default, lack classification, access auditing, and retention enforcement. These can be added using third-party tools, but require investment and planning.

Cost Implications

Storage isn’t free. Industry estimates put storage costs at around €3,500 per terabyte per year. A 41.5 TB environment costs €145,000 annually—and with 15% annual growth, costs double in five years. Versioning in cloud platforms can further inflate these numbers. A single document with 26 versions may consume 165 MB instead of 6 MB.

Conclusion

Designing a target level for data governance isn’t just about rules—it’s about enabling sustainable, secure, and cost-effective data management. Start with clear ownership, defined retention, and consistent labelling. Avoid pseudo-archiving, classify your content, and remember: migrating data to the cloud without governance doesn’t solve the problem—it simply relocates it. AI can be transformative, but only when built on a foundation of clean, classified, and controlled data.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

This is Part 3 of our 4-part series on unstructured data. In the last article, we’ll move from planning to execution—exploring practical methods for implementing and maintaining effective data governance.

Identify the Data – Even in Legacy Archives | Part 2/4

by

Introduction

Legacy data often hides in plain sight—stored in personal folders, shared drives, or temporary locations. These files may contain sensitive information, outdated formats, or undocumented decisions. Identifying what exists, where it resides, and whether it’s still relevant is a critical step in responsible data governance.

Why Legacy Data Matters

Many organisations retain documents far beyond their useful life. These files might not have a valid legal basis and should have been deleted or migrated to a proper application. Such oversights are common and pose compliance risks under GDPR and other regulations. For example, in one environment, data aging spanned over 10 years, which might still be relevant.

However, when analysing the data, we found that there are large portions of data that are outdated, irrelevant, or duplicates of existing data. Examples include files like printer driver disks for DOS operating systems—spanning over 20 years back—which are typically unnecessary and simply increase storage and backup costs. Data has been analyzed by Arctera Information Governance application.

Legacy data can span 20+ years

Old files only add unnecessary storage and backup costs

Digitisation and Discovery

Legacy data isn’t limited to paper archives. Digitised content—especially when migrated from old systems—can still be unmanaged. Without proper classification, digitisation simply shifts the problem from one format to another. Organisations must assess whether old data is needed and ensure it is stored securely and appropriately.

Metadata – The First Layer of Insight

Metadata provides essential clues about a file’s origin and lifecycle: creation date and creator, last accessed date and reader, last modified date and modifier, file type, size, and permissions. However, metadata can be unreliable. System migrations, external vendors, or outdated software may corrupt timestamps. Typically, the modification date is the most trustworthy indicator of a file’s age.

Content Classification Is Essential

Metadata alone isn’t enough. Organisations must classify content to understand what’s inside each file. Tools can detect personal identifiers, financial data, or confidential terms. Classification enables automation, retention enforcement, and risk mitigation. Without it, legacy data remains a blind spot—and a liability.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT can process vast amounts of data—but if your legacy files contain outdated, sensitive, or misclassified content, AI may expose it unintentionally. Before deploying AI, ensure your data is classified, governed, and access-controlled. Otherwise, you risk amplifying existing vulnerabilities.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data to the cloud “as-is” is common—but dangerous. Moving unmanaged files to Microsoft 365 or Google Workspace does not reduce risk or update content. Old formats (e.g. WordPerfect 5.1) remain unsupported, and sensitive data remains exposed unless actively governed.

Migration must be paired with classification, clean-up, and policy enforcement. For example, in one environment, there were thousands of files that could no longer be content-classified, but notably, we found hundreds of WordPerfect 5.x files, all from around 1990—over 35 years old. Opening these files is difficult, as software support often no longer exists.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing level. Legacy fileservers, by default, lack classification, access auditing, and retention enforcement. These can be added using third-party tools but require investment and planning.

Conclusion

Legacy data is often overlooked, yet it holds both risks and opportunities. By identifying what exists, analysing its content, and applying clear retention rules, organisations can reduce exposure, improve compliance, and prepare for future innovations like AI.

But remember: migrating data to the cloud without governance doesn’t solve the problem—it simply relocates it.

This is Part 2 of our 4-part series on unstructured data. If you haven’t yet, check out Part 1: Unstructured Data and Its Challenges. In the next articles, we’ll go deeper into practical methods for managing and governing it.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

Unstructured Data and Its Challenges | Part 1/4

by

Introduction

Unstructured data makes up the majority of information in organisations—often more than 80%. Unlike structured data in databases, unstructured data includes emails, documents, spreadsheets, images, videos, and even AI-generated content. It is scattered across systems, unmanaged, and frequently contains sensitive personal data.

What Is Unstructured Data?

Unstructured data refers to information that lacks a predefined format or organisational structure. Examples include job applications and CVs stored as free-text documents, event registration forms with open-ended responses, and emails with attachments containing personal identifiers. These files are typically saved on network drives, cloud platforms, or local devices—often without consistent naming conventions, metadata, or retention policies.

The Scale of the Problem

Studies show that unstructured data accounts for up to 90% of all organisational data. Worse, much of it is “dark data”—information that is collected but never used or properly managed. This leads to increased storage costs, compliance risks under regulations like GDPR, and difficulty in locating and securing sensitive information. To give an example of the scale, one terabyte of data in an unstructured format, contains around one million files.

More than 80% of organisational data is unstructured

1 TB ~1 million unstructured files

Why It Matters

Unstructured data often contains personal information, such as health details or national ID numbers. Without proper controls, this data can be exposed, misused, or retained far longer than legally permitted. GDPR mandates data minimisation and purpose limitation—organisations must only collect and retain data that is necessary. A real-world example: A folder labelled ‘Project Applications’ contained anaesthesiologist CVs from 2004, including personal IDs. These files had no valid retention basis and should have been deleted or moved to a secure HR system years ago.

Content Classification Is Essential

Effective data governance starts with knowing what you are managing. Content classification tools help identify sensitive information, such as personal data, financial records, or confidential terms. Without classification, organisations cannot reliably enforce retention, access, or deletion policies.

Classification is the foundation for automation, compliance, and risk reduction. In the following small supplier data overview, organisations had thousands of items requiring deeper analysis. Notably, organisations were also sharing data externally, even via anonymous links—and as we validated, none of these links had expiration dates. The analysis was created with AvePoint Insights and Policies.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT offer powerful capabilities—but using them without understanding your data landscape is dangerous. If your unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Environment Limitations

It is important to note that environments like Microsoft 365 and Google Workspace offer different governance features depending on licensing level. Legacy file servers, by default, lack most governance capabilities—such as version control, access auditing, or classification. These features can be added using third-party tools, but require planning and investment.

Conclusion

Unstructured data is not just a technical challenge—it is a strategic imperative.

Organisations must invest in tools, processes, and awareness to ensure that this vast and growing data pool is secure, compliant, and useful. Without content classification and governance, even the best AI tools can become a burden.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

This is Part 1 of our 4-part series on unstructured data. In the next articles, we’ll go deeper into practical methods for managing and governing it.

Background Information of the Data Protection Survey 2021 – 2024

by

The data protection survey has been conducted since 2021. Responses to the survey have been requested via email and social media.

  • In 2024, 41 individuals responded to the survey.
  • In 2023, 51 individuals responded to the survey.
  • In 2022, 102 individuals responded to the survey.
  • In 2021, 56 individuals responded to the survey.

The response period has been approximately 2 months, and no profiling of the respondents was carried out. The profile of the respondents as well as the size of their organizations has remained very similar, and therefore the results are now available for four years. From these responses, we are already able to observe emerging trends in many areas, such as “is staff trained regularly” or “is GDPR beneficial”.

The results are presented in the report as statistical groups, and the answers of individual respondents cannot be inferred. Personalization data related to survey invitations is deleted from the system within 3 months. Multiple-choice and rating-scale questions are reported as charts. Open-ended responses are listed in the report verbatim, with some highlights included in the survey summary.

It is reasonable to assume that the respondents represent individuals who are at least to some extent interested in the topic. On the other hand, from the verbatim responses it can be deduced that some take a rather critical view of the requirements of data protection law.

Respondent Backgrounds

During the survey years, the distribution of organization size has been very similar, as shown in Figure 1. However, in 2024, there were more organizations with over 1,000 employees among the respondents.

Figure 1: Number of Employees in the Organization

Similarly, the distribution of organizational sectors was very consistent during the survey years. The respondents consisted of a diverse range of companies as well as public sector organizations. See Figure 2

Figure 2: Business Sector / Type of Organization

The positions of the respondents also showed a very similar distribution during these years, and the respondents represent both decision-makers and employees. See Figure 3.

Figure 3: Position of the Respondents

Regarding the operating environment, the respondents included organizations operating in Finland, as well as internationally active organizations, and also international organizations whose headquarters are abroad. See Figure 4.

Figure 4: Respondents’ Area of Operation

Return here to the survey results!

Further Information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech

040 5666 900
juha@gdprtech.com

Technology Meets Data Protection – What Does a Technical Project Specialist Bring to Data Protection Work?

by

Data protection is not only about legal matters. As organizations become more digital and the processing of personal data shifts into increasingly complex systems and system environments, the importance of technical expertise in data protection work grows.

For efficient and purposeful execution, project management capabilities are also required. When these are combined, the result is the role of a technical project manager.

Data protection is continuous work

The GDPR and other data protection regulations set requirements that, in practice, are fulfilled through technology. Data protection work is not a one-time action, but continuous development – and also about tolerating imperfection. If you polish one area to perfection, another may soon begin to fray. That is why the realistic target level of data protection work is often 8+ rather than 10.

Data protection efforts are typically carried out both as part of ongoing program work and as individual projects. Larger one-time initiatives are best organized in project form, ensuring cost-efficient and effective execution. Projects have a beginning, a middle, and an end – unlike continuous work, where loose ends can easily disappear into the whole and resourcing often remains insufficient.

It is also important to note that data protection work is carried out so that, in the event of exceptional situations, operations remain controlled. It is a completely different matter to act prepared in working groups during normal office hours than to react in haste, with incomplete information and inadequate resources.

Technical project expertise as part of modern business

Technical project expertise brings practicality, efficiency, and impact to data protection work. At its core, it is about the understanding and execution capability through which regulatory requirements are implemented in practice.

Data protection is not only about compliance. It is part of modern, responsible, and sustainable business.

Would you like to hear more about how we can help your organization? Get in touch!

 

Data Protection Survey 2024: GDPR Is Already Part of Everyday Life, but Not Fully in Practice

by

The Finnish company GDPR Tech Oy has, in cooperation with its partner Tutkimusvoima (Raimo Pöllänen), conducted a survey on the current state of data protection since 2021. The study examines how the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act have affected the operations of companies and organizations in Finland.

The research results provide unique and new insights into the GDPR and its impacts in Finland. The findings help analyze the current state and development of data protection in Finnish organizations. The survey content has remained the same since 2021 to ensure reliable tracking of developments.

Data protection work is carried out in organizations in accordance with GDPR, the EU’s General Data Protection Regulation, and is generally considered beneficial. However, exceptional situation drills are still carried out in only about one-third of organizations.

You can find more detailed information about the study and respondents here!

Key Statistics on Compliance with Data Protection in Finland in 2024

  • The majority of respondents feel that GDPR and the national Data Protection Act have increased trust in the processing of personal data. The figure has risen from 71% in 2021 to 88% in 2024 – a significant increase in trust.
  • Nearly four out of five respondents (78%) believe that GDPR benefits the organization. Open-text responses support this, for example, with observations related to information management.
  • Concern among respondents about their own personal data has grown from about 44% previously to 54%.
  • Still, only 60% of respondents believe that organizations take sufficient care of data protection.
  • Emergency and disaster drills have increased compared to previous years, and now about 39% of organizations have carried them out.

Trust in Data Protection Work Is Growing – Organizations Also See the Benefits

Nearly 90% of respondents in 2024 believe that GDPR and the national Data Protection Act have improved trust in data processing. The percentage has grown from 71.4% in 2021 to 88% in 2024 – a significant increase.

More than 78% of respondents feel that GDPR benefits the organization. This continues the trend that began in 2021: the initial perception that “GDPR prohibits everything” has changed. Now it is recognized that data protection work can also have positive effects. This is also well reflected in the responses – although some still consider GDPR harmful.

Survey Respondent
(GDPR) complicates things in every possible way. I would no longer want to deal with the consumer when you only fear that some loophole will remain open and you will be taken to court because of it.
Survey Respondent
(GDPR) benefits: data destruction, clarity of processes.
Survey Respondent
(GDPR) threats: of course, identity theft can be a problem, but the responsibility should lie with the seller, not the buyer. Identity theft should not be the threat – instead, creating the customer relationship should be so clear that there is no room for misuse.
Survey Respondent
(GDPR) opportunities: I suppose IT systems will gradually learn managed destruction. The end result may be a good process, but I am not entirely convinced of its benefits.

Image 1: Trust in data processing – yes responses

Image 2: Does GDPR benefit your organization – yes responses

GDPR Did Not Remain Solely the Responsibility of IT

According to the 2021 survey, responsibility for data protection work lay with different units, such as IT, finance, HR, and legal departments. In the 2024 responses, the share of finance has, somewhat surprisingly, decreased significantly.

Image 3: Which unit/units in your organization are responsible for data protection (GDPR)?

Risk management has improved at least for 2024. In 2023, however, there was a declining trend, with risks not being assessed. IT plays a significant role in practical data protection work – particularly in data security and technical safeguards – but risk management in organizations is generally not part of IT’s responsibilities.

The 2024 responses show a clear improvement in the management of risks related to personal data. Behind the responses may also be increased awareness of data breaches highlighted in the media.

Image 4: Has your organization assessed the risks related to personal data?

What is concerning are the answers to the question “Do you think your organization has taken sufficient care of data protection?” The share of “NO” answers has risen from 25.5% in 2023 to as much as 29% in 2024.

“In customer work, one still sees situations where the attitude is that data protection is not our responsibility. For example, a customer service manager refused to participate in a data protection impact assessment workshop led by the Data Protection Officer because ‘data protection does not belong to us.’ In that organization, training has been available, but not everyone has completed it – this is visible in practice.”

Juha Sallinen, CEO of GDPR Tech

Image 5: In your opinion, has your organization taken sufficient care of data protection?

Survey Respondent
There are clear frameworks for the retention of personal data.
Survey Respondent
Affects all activities involving the processing, confidentiality, retention, and disclosure of information linked to individuals.

One in Five Employees Is Not Trained in Data Protection

Of respondents, 80% report that new employees are given data protection guidance as part of onboarding. This means that one-fifth of respondent organizations do not train new employees on data protection during orientation. Some respondents reported that employees are not always remembered in this regard, and regular training is often entirely missing.

According to Juha Sallinen, CEO of GDPR Tech, practical measures in organizations are often fragmented:

“We have often noticed situations where an organization trained its staff in some way in 2018, but not since. It is also common that GDPR or data protection training is available, but completion is not monitored.”

Survey Respondent
Provide a good foundation for the processing of personal data
Survey Respondent
The obstacle and threat is that public sector work has been made more difficult, and mandatory supervision costs thousands per year. Public administration must verify its activities, which are often already statutory. But this verification costs money that goes into matters unbeneficial to operations. GDPR slows down and complicates public administration activities and costs money. It does not make our work easier or faster.

Image 6: Is GDPR guidance part of employee onboarding?

Image 7: Has your staff been trained to operate in compliance with GDPR?

Awareness of Sanctions Has Grown – Attitudes Toward GDPR Vary

The survey asked respondents whether they are aware of possible consequences of data protection violations, such as fines or bans on processing. All respondents (100%) stated that they are well aware of what happens if the law is not complied with adequately. In 2021, the corresponding share was about 93%. We assume that awareness has grown partly due to media coverage of data protection sanctions.

Respondents also commented on the topic from very different perspectives. Some felt that organizations now take GDPR issues more seriously than before, while others considered the level of awareness still insufficient.

Survey Respondent
Slows down and complicates things greatly, even though I consider it important. There is also a constant worry and fear about whether I have done something wrong.
Survey Respondent
Dozens of systems and thousands of employees. Turnover is high. Attention must be paid to managing the data of former employees.

Image 8: Awareness of consequences if the law is not complied with

Trust Is Missing – Data Protection Needs Concreteness

Based on the responses, the level of trust in organizations’ data protection practices is concerning. When asked whether they are worried about the processing of their own data, a majority (54%) said they were. The implementation of data protection and risk management clearly requires more work in order to strengthen trust in the processing of personal data.

Image 9: Are you concerned about your own data?

Cookies Track – but Few Know How

The question “Did you know that website cookies track your behavior and target marketing of other products as well?” measured respondents’ awareness of website tracking technologies – and the results are worrying. Despite all the cookie and tracking consents, respondents are still uncertain about what happens on websites and what is done with their data.

The uncertainty is likely increased by the fact that in Finland, user tracking on websites is supervised not by the Data Protection Ombudsman but by Traficom, whose guidelines on the subject were already published in 2021. These guidelines have likely gone unnoticed by many. In Finland, there still do not appear to be consequences or sanctions for the use of tracking technologies contrary to official guidelines.

Image 10: Did you know that website cookies track your behavior and target marketing for other products as well?

Survey respondent
GDPR largely defines to whom marketing messages can be sent and what must be taken into account in marketing automation. In addition, website privacy policies and cookie practices have had to be adjusted quite a lot because of GDPR.

Data Protection Work Requires Continuity – Projects Alone Are Not Enough

Based on responses over four years, it appears that in many organizations, data protection measures have been carried out as projects, but their integration into everyday operations has remained insufficient. Although GDPR is still a relatively young regulation, user awareness is clearly increasing.

Discussions and media often highlight data protection legislation and the need for related communication. An increasing number of consumers are concerned about their personal data and expect organizations to act lawfully with regard to GDPR as well.

The number of data breaches and sanctions that have reached the media in Finland is still very small compared to many other European countries. This is partly explained by Finland’s small population.

Respondents’ comments highlight concerns related to artificial intelligence, data use, and costs. The views are similar to those seen in projects and training. Misinterpretations of GDPR still exist, leading to perceptions of it as too restrictive. In organizations where data protection work has been integrated into everyday operations, clear benefits have been achieved, such as harmonization, clarification, and process efficiency.

“Trust is key – with transparency and accountability, customer trust in the company can be strengthened,” Sallinen concludes.

More information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech

040 5666 900
juha@gdprtech.com

Perspectives on Outsourced Data Protection

by

Can the role of a Data Protection Officer (DPO) be outsourced, and what are the benefits?

“The role of a DPO can certainly be outsourced,” says GDPR specialist and outsourced Data Protection Officer Jaanaliisa Kuoppa. Surprisingly large organizations have chosen this solution. The position requires specialized expertise and continuous skills development, which few organizations have the capacity to maintain. Most companies also lack the resources to appoint a full-time expert to the role, Jaanaliisa continues.

The benefit of outsourcing lies in the fact that a dedicated expert gathers insights and solutions across different clients, which in turn effectively benefits the purchasing client organization.

When should the role of a DPO not—or should not—be outsourced? Outsourcing is not recommended when the role requires 100% commitment and intensive collaboration with the organization’s experts and management, Jaanaliisa explains. Even then, outsourcing is possible, but it may not necessarily be optimal for the client organization.

If the Work Is Not Done, Data Protection Debt Accumulates

“The DPO’s workload varies significantly depending on the industry, the size of the organization, and its geographical scope and location,” explains GDPR Tech founder, information management and technology architect Juha Sallinen.

Juha provides a concrete example: “One of our new clients had previously allocated only four hours per month of one person’s time for data protection work. This led to a data protection debt, because in that time it is not possible to provide guidance, training, self-development, let alone monitor changes in privacy interpretations, and so on.”

The client initially tackled the debt with 16 hours of monthly effort. Since then, the workload has been adjusted to eight hours per month, supplemented by additional tasks as needed.

In an international organization, simply monitoring state-specific privacy changes in the United States alone consumes significant work hours. A functional structure in international organizations often seems to be a “Global Head of Privacy” supported by an operational team, Juha notes. The DPO’s role is to guide and supervise, which often requires a determined, project manager–like approach.

Data Protection Debt Can Be Reduced Through Determined Project Work

GDPR Tech’s Technical Project Manager, Mervi Hongisto, shares her perspective:
“It is essential to define how much data protection work will be carried out proactively and in a controlled manner during regular office hours. At the same time, it must be assessed what risks the organization is willing to accept regarding tasks left undone.”

Even a small amount of systematic neglect is inadequate for risk management and therefore not advisable.

“Good project management provides concrete tools and visibility into the key priorities of data protection work,” Mervi continues. An outsourced project manager can at best provide the client with a prioritization overview that is aligned with the client’s other assignments. At the same time, effective implementation is ensured, which also builds the client’s own expertise.

Responsibility of the Service Provider and the Client

“There is a known case where a single consultant acts as the DPO for as many as 600 organizations,” Juha Sallinen points out. This raises a critical question about the adequacy of resources. The client bears the responsibility to ensure that the purchased service truly meets the requirements of data protection work. The provider, in turn, must be able to demonstrate that the resources and expertise are sufficient to serve such a wide client base. This highlights the importance of quality and accountability in data protection practices.

Ideally, an organization itself should have enough knowledge to decide whether it wants—or is able—to outsource the DPO role.

At GDPR Tech, we have a structured, cost-effective, and easily customizable approach to delivering the service.

Responsibility itself cannot be outsourced, even if many other things can.

Considering Outsourcing Your Data Protection Work?

DPOaaS (Data Protection Officer as a Service) is a safe and cost-effective solution when you need an expert to help your company meet current, legally mandated data protection obligations—without hiring a full-time employee.

Get in touch also if you need a temporary substitute, a backup person for your DPO work, or a sparring partner to assess the state of your data protection!

Experts Featured in the Article:

Jaanaliisa Kuoppa – GDPR Specialist, Outsourced Data Protection Officer, part of the DPO Team

Juha Sallinen – Entrepreneur, Information Management and Technology Architect, Outsourced Data Protection Officer, part of the DPO Team

Mervi Hongisto – Technical Project Manager, Outsourced Data Protection Officer, part of the DPO Team

Customer Story: Information Security Is Continuous Work – Keitele Group’s Story of Staff Training

by

Keitele Group is a family-owned company that has grown to become one of Finland’s largest operators in mechanical wood processing and the country’s largest manufacturer of wood products. In a large, internationally operating company, information security is taken seriously. The Group’s IT Manager, Veli Matti Häkkinen, explains that the importance of information security has increased further with digitalization and today’s interconnected world. Managing information security has become increasingly demanding, requiring constant effort.

Information Security as a Support for Modern Business

The interconnectedness of the world has brought new threats that are no longer dependent on physical location. “The number of risks has increased, and the situation has steadily worsened,” Häkkinen notes, highlighting especially the impact of artificial intelligence. Fraud has become more convincing and harder to detect.

To respond to these growing threats, Keitele Group relies on technical solutions such as strict access control, as well as regular training. Häkkinen welcomes the requirements set by legislation on companies regarding information security: “Nowadays, laws related to information security also place demands on companies – and that is a good thing,” Häkkinen states.

Staff Training in a Key Role

Keitele Group invests in the information security and data protection competence of its staff through training programs. In 2024, around 200 employees participated in training, and the company is already planning further sessions for 2025.

The training has proven highly useful, successfully raising awareness of the importance of information security particularly among basic users: “That is exactly what we aimed to achieve with the training,” Häkkinen explains. The training has been effective especially thanks to its flexibility – each employee can complete it at a time that suits them.

Raising Awareness Through Training

The level of difficulty in the training has been perceived as especially successful. “Feedback has shown that the training is pitched at exactly the right level: not too simple and not too complex,” the IT Manager says. Although overall participation was strong, Häkkinen points to an interesting observation. “While the activity level in training was good, there remains a small group of individuals who were not interested. It raises the question of how much they care about information security at all.”

The training has proven to be an effective way to raise staff awareness, even if measuring the exact benefits is challenging. At Keitele Group, training will continue in the future as part of the company’s ongoing development of information security: “Training will be continued in the future as well,” Häkkinen confirms.

Staying Alert for the Future

Keitele Group continues to invest in information security and is already planning further training sessions for 2025. “We actively monitor the development of security threats and are ready to react if necessary,” Häkkinen emphasizes.

When asked for his advice to other IT managers who have not yet invested in data protection or security, Häkkinen’s view is clear: information security requires continuous effort. According to him, those responsible for information security are well aware of its importance and the growing threats. Information security is not a one-time project but a continuous process requiring regular attention and resources. Training has proven to be an effective way to strengthen Keitele Group’s information security and data protection expertise. “I recommend this kind of training,” Häkkinen concludes.

Learn more about Keitele Group here: https://www.keitelegroup.fi/

Explore GDPR Tech’s training offering here: https://gdprtech.com/en/gdpr-training/