Month: March 2024

Background on the 2021-2023 Data Protection Survey

by

The data protection survey was conducted from 2021 onwards. Responses to the survey were solicited via email and social media.

  • In 2023, 51 people responded to the survey.
  • In 2022, 102 people took part in the survey.
  • In 2021, 56 people completed the survey.

A response period of approximately 2 months was given and no profiling of respondents was carried out. The profile of the respondents and the size of the organisations has remained very similar, so the results are now available for three years. From these responses, we can already see trends in a number of areas, such as ‘are staff trained regularly’ or ‘is the GDPR useful’.

The results are treated in the report as a statistical set, and no individual respondent’s answers can be inferred from the results. Personal data associated with the questionnaires will be deleted from the system within 3 months. Choice and rating questions are reported as graphs. The proprietary responses to the open-ended questions are listed in the report, with some highlights in the survey summary.

It can be assumed that the respondents to the survey represent people who are at least somewhat interested in the subject. On the other hand, it can be inferred from the responses to the survey that some of them are quite critical of the requirements of the Data Protection Act.

As far as the respondents are concerned, the distribution of the size of the organisations was very similar in the years of response. It is worth noting that almost 60% of respondents work in organisations with more than 50 employees and just over 25% of respondents work in organisations with more than 1,000 employees. Clearly, both small and large organisations are interested in GDPR issues. See Figure 1.

Figure 1: Number of staff in the organisation

Työntekijää = (Number of) Employees

The distribution of organisations by sector was also very similar across the years of response. Respondents were a diverse mix of companies and public sector actors. See Figure 2.

Figure 2: Sector of the enterprise/organisation

B to B palveluiden myynti yrityksille (liike-elämän palvelut) = Sale of B to B services to businesses (business services)
B to C palveluiden myynti kuluttajille = Sale of B to C services to consumers
B to B tuotteiden myynti yrityksille (teollisuus, laitteet) = B to B product sales to companies (industry, equipment)
B to C tuotteiden myynti kuluttajille = Sale of B to C products to consumers
Julkisen sektorin organisaatio = Public sector organisation

The distribution of respondents’ professional positions was very similar across these years. Respondents represent both decision-makers and employees. See Figure 3.

Figure 3: Professional positions of respondents

Johto = Upper management
Esihenkilö = Manager
Ylempi toimihenkilö = Senior staff member
Toimihenkilö tai työntekijä = Staff member or employee

With regard to the working environment, respondents included employees from companies operating in Finland, companies operating internationally and international companies with headquarters abroad. See figure 4.

Figure 4: Respondents’ working environments

Toimimme vain Suomessa = We only operate in Finland
Toimimme kansainvälisesti, päätoimipaikka Suomessa = We operate internationally, with headquarters in Finland
Toimimme kansainvälisesti, päätoimipaikka ulkomailla = We operate internationally, with headquarters abroad

Return here to the research results!

Lisätietoja

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech 

040 5666 900
[email protected]

Data Protection Survey 2023: GDPR benefits organisations, but not enough effort is being put into it

by

Organisations are implementing data protection work and complying with the GDPR, the EU’s General Data Protection Regulation, to protect personal data. Organisations also perceive that they benefit from these activities. However, only less than a third of organisations practice contingency planning.

The Finnish company GDPR Tech, together with Garagelabs, has conducted a survey from 2021 onwards focusing on the current state of data protection. The survey examines how the EU General Data Protection Regulation (EU GDPR), the Data Protection Act (TSA) or similar regulations have affected the operations of companies and organisations operating in Finland.

The results of the study provide unique and unparalleled insights into the GDPR and its impact in Finland. This data will enable an analysis of the current state of data protection and its reception in Finland. The survey has been similar from 2021 onwards to allow us to monitor the development of the topic and changes over time.

You can access additional background information about the study and the respondents here!

Main data protection compliance statistics in Finland in 2023

    • The majority of respondents feel that the GDPR, as well as the national data protection law, has improved their confidence in the processing of their data. This has increased from 71.4% in 2021 to 78.0% in 2023. This is a significant increase in confidence.
    • However, only 60% of respondents feel that data protection is adequately taken care of in their organisation.
    • Public administrations in particular, but also other stakeholders, are affected by the Data Management Act, which affected more than 43% of respondents in 2023.
    • The majority of respondents (over 80%) know who the Data Protection Officer is in their organisation.
    • Emergency and disaster drills have increased, but still only around a third of organisations (31.4% in 2023) carry them out.


Confidence in data processing and perceived benefits continue to grow

In 2023, almost 80% of respondents feel that the GDPR and national data protection law have improved their trust in data processing. This is an increase from 71.4% in 2021 to 78% in 2023.

More than 68% of respondents feel that the GDPR has benefited their organisation. This is a continuation of the trend in 2021, where the initial ‘GDPR says no to everything’ attitude has been replaced by a recognition that data protection can also have a positive impact. This is clearly reflected in respondents’ attitudes, although some still perceive the GDPR as a disadvantage.

Respondent
The lack of understanding results in numerous unnecessary data processing agreements, documents and reports. I see the benefit of increased attention to data protection issues, even if the measures are still mainly taken to fulfill formalities rather than to actually improve data protection.
Respondent
Costs are incurred and data training, digital learning and surveys are carried out, but the work does not change because it cannot change.
Respondent
Data processing is now much more systematic, which has made it easier to find information, for example. The disadvantage is the need to document and maintain that data. I still see the threat that people will not comply with these regulations and thus there will be data leaks. The opportunity I see is that information in general will become more organised and manageable.
Previous slide
Next slide


Figure 1: Confidence in data processing? – Yes answers


Figure 2: Does GDPR benefit your organisation? – Yes answers

 

One in five believe GDPR implementation is the sole responsibility of the IT department

According to the 2021 survey, a range of departments were responsible for data protection, including IT, finance, HR and legal. The legal department accounted for up to a third of data protection work, according to respondents. In the 2022 and 2023 surveys, the legal department’s share dropped to less than 28%.

In the 2023 survey, around a fifth of respondents felt that GDPR had been left to IT alone. Risk management is a particular concern. In 2023, a downward trend was observed where risks had not been adequately mapped. Although the practical work of data protection, especially in terms of technical safeguards, is mainly done in IT. Risk management in the organisation is generally not the responsibility of IT.


Figure 3: Has GDPR left only IT to deal with?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

 

Figure 4: Has your organisation identified the risks associated with personal data? – Yes answers

 

The answer to the question “Do you think you have adequate data protection in place?” is also a cause for concern, with a quarter of respondents (25.5%) answering in the negative.

“We have been conducting data protection snapshots with different organisations for years and we can see an increase in employee awareness. People are now more critical of the organisation’s practices and more open about their findings. Especially in medium-sized companies, risk management usually does not cover data protection risks as part of ongoing risk management. Data protection operates as a separate process”.

Juha Sallinen, CEO – GDPR Tech


Figure 5: Do you think that data protection has been adequately taken care of?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

 

Respondent
Awareness of data protection issues has improved substantially and processes have been developed, etc.
Respondent
The risk is old systems, partly external users of the systems, people also do not understand the purpose of the data protection law or how it affects their work.
Previous slide
Next slide

At least one in four employees has no data protection training

Just over 60% of respondents say that new employees receive a data protection briefing as part of their induction. Worryingly, however, from a good performance in 2021, when almost 90% of employees were trained in GDPR, this figure has fallen to 75% in 2023. Meanwhile, a quarter of respondents do not train new employees on data protection as part of their induction.

Some respondents mentioned that employees are not always reminded to familiarise themselves with data protection, and there is also a lack of regular training. According to Juha Sallinen, CEO of GDPR Tech, practical action in organisations is often fragmented:

‘We have often seen a situation where an organisation has trained its staff in some way in 2018, but nothing has happened since. It is also common that GDPR and data protection training is available, but performance is not monitored.”

Respondent
There is a lot of data phishing going on, so it takes a lot of effort in terms of privacy and security, but of course it is essential and understandable in any sector. Also, we're dealing with sensitive data, so it's particularly important to make sure that everyone understands the importance of data protection and doesn't see it as a mandatory evil or as something they can get away with.
Respondent
GDPR is a complete waste of time and resources. Nothing has changed except that websites are full of pop-ups and everything is more complicated.
Previous slide
Next slide


Figure 6: Is GDPR guidance part of the induction?


Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say


Figure 7: Do you have GDPR compliance training in place for your staff?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

 

Finnish organisations are aware of GDPR consequences and sanctions

Respondents were asked if they were aware of possible sanctions for data protection violations, such as fines or processing bans. 100% were aware of what happens if the law is not adequately complied with. This compares to 93% in 2021. We suspect that the increase in awareness has also been influenced by the news of data breaches that appear in the media from time to time.

Some respondents felt that organisations are now taking GDPR more seriously, while others felt that there is still a lack of awareness.

Figure 8: Are you aware that there may be sanctions (fines or processing bans) for non-compliance with the GDPR? (Not applicable to public administration in Finland) – Yes answers

 

Confidence in the protection of personal data at organisational level is generally low

It is worrying that respondents have little confidence in the ability of organisations to protect their data. When asked if they were concerned about how their own data was being handled, just over 50% said they were not concerned. However, by 2021-2023, more than 40% of respondents said they were concerned about how their own data is handled. Clearly, more work is needed on data protection enforcement and risk management to improve trust in the way our data is handled.

Figure 9: Recently, there have been cases in the media where personal data have been leaked to criminals. Are you concerned about your personal data? – Yes answers

 

Website cookies and visitor tracking are not clear to everyone

The question ‘Are you aware that website cookies are used to track your behaviour and to target marketing of other products’ asked respondents about their awareness of website tracking technologies. The answers provide some worrying information. Despite granting cookies and tracking permissions, respondents are less aware of what is happening on the website and therefore less aware of how their data is being used.

This can be confusing. For example, in Finland the monitoring of website users is under the supervision and guidance of Traficom and not the Data Protection Ombudsman. Many people may have missed Traficom’s 2021 guidelines, and in Finland it appears that there will be no sanctions for cookie processing.

Figure 10: Did you know that website cookies track your behaviour?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

Respondent
Since we have data, we need to use it for productivity, economic growth and to fight crime. Data and AI are needed.

There is still room for improvement in data protection work

The responses over the three years suggest that many organisations have implemented GDPR activities as a project, but these activities have not been translated into day-to-day operations. Although the GDPR is still a relatively new regulation, user awareness of it continues to grow. Discussions and media coverage often focus on data protection legislation and how to communicate it more widely. 

In Finland, the number of data breaches that have reached the media and the resulting sanctions has been relatively low compared to other European countries. Nevertheless, more and more consumers are concerned about their own data and expect organisations to act in accordance with the law, including the GDPR.

“For the first time, AI and the use of data also appear in respondents’ comments. The different views of respondents remind us of the challenges we see in projects and training. We have noticed misunderstandings about the topic, which is why some feel that GDPR ‘bans everything’. In organisations where policies are clearly defined and data protection is part of daily operations, benefits such as consistency and operational clarity have been achieved. Process efficiency and operational clarity have also been observed among respondents. The importance of trust is highlighted in several responses – transparency and accountability can improve customer trust in the organisation,” Sallinen concludes.

Further information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech 

040 5666 900
[email protected]

Order our newsletter!

Get GDRP tips, releases and events straight to your email!

Contact us

+358 40 5666 900
[email protected]

Weekdays at 8–17
Puolikkotie 8, 5th floor, 02230 Espoo

Facebook Twitter Linkedin

Services

Additional info

Privacy promise

© 2022 GDPR Tech