Yleinen

Design the Target Level | Part 3/4

by

Unstructured data is growing rapidly, and without a clear governance strategy, organisations risk being overwhelmed by outdated, unmanaged, and potentially sensitive information. Designing a target level for data governance is essential—not just for compliance, but for operational efficiency, cost control, and AI readiness.

Start with a Plan

The lifecycle of unstructured data should follow a structured model:
Plan → Do → Check → Act

  • Plan: Define what data is collected, from whom, and for what purpose. Consider mergers, reorganisations, and legacy systems that may introduce risks.
  • Do: Implement storage practices in appropriate systems—HR platforms, cloud libraries, or network drives.
  • Check: Regularly audit data age, access rights, and compliance with retention policies.
  • Act: Remove or manage data that has reached the end of its lifecycle.

Define Ownership, Retention, and Labelling

Every data type should have a designated owner, retention period, and storage location. For example:

  • Job applications → Owner: HR → Retention: 6 months → Location: Sympa HR system
  • Customer complaints → Owner: Legal → Retention: 2 years → Location: a secure document repository

In addition to ownership and retention, high-level labelling (e.g. “HR”, “Internal”, “Confidential”) helps contextualise data for access control and policy enforcement. These labels can be applied manually or automatically based on metadata, folder structure, or file content.

Content Classification Is Essential

Governance begins with knowing what you’re managing. Content classification tools scan files to detect sensitive information—such as personal identifiers, financial records, or regulated terms. These labels (e.g. “Contains SSN”, “PII”, “Contractual”) enable automation, retention enforcement, and risk mitigation. Classification is also a prerequisite for safe and effective AI use.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT offer powerful capabilities, but using them without a clear understanding of your data landscape is risky. If your unstructured data contains outdated, sensitive, or misclassified content, AI may surface or process it inappropriately. Before deploying AI, ensure your data is classified, governed, and access-controlled.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data to the cloud “as-is” is common—but risky. Moving unmanaged files to Microsoft 365 or Google Workspace does not reduce risk or modernize content. Old formats (e.g. Lotus 1-2-3, Word 2) remain unsupported, and sensitive data remains exposed unless actively governed. Migration must be paired with classification, clean-up, and policy enforcement.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing level. Legacy file servers, by default, lack classification, access auditing, and retention enforcement. These can be added using third-party tools, but require investment and planning.

Cost Implications

Storage isn’t free. Industry estimates put storage costs at around €3,500 per terabyte per year. A 41.5 TB environment costs €145,000 annually—and with 15% annual growth, costs double in five years. Versioning in cloud platforms can further inflate these numbers. A single document with 26 versions may consume 165 MB instead of 6 MB.

Conclusion

Designing a target level for data governance isn’t just about rules—it’s about enabling sustainable, secure, and cost-effective data management. Start with clear ownership, defined retention, and consistent labelling. Avoid pseudo-archiving, classify your content, and remember: migrating data to the cloud without governance doesn’t solve the problem—it simply relocates it. AI can be transformative, but only when built on a foundation of clean, classified, and controlled data.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

This is Part 3 of our 4-part series on unstructured data. In the last article, we’ll move from planning to execution—exploring practical methods for implementing and maintaining effective data governance.

Identify the Data – Even in Legacy Archives | Part 2/4

by

Introduction

Legacy data often hides in plain sight—stored in personal folders, shared drives, or temporary locations. These files may contain sensitive information, outdated formats, or undocumented decisions. Identifying what exists, where it resides, and whether it’s still relevant is a critical step in responsible data governance.

Why Legacy Data Matters

Many organisations retain documents far beyond their useful life. These files might not have a valid legal basis and should have been deleted or migrated to a proper application. Such oversights are common and pose compliance risks under GDPR and other regulations. For example, in one environment, data aging spanned over 10 years, which might still be relevant.

However, when analysing the data, we found that there are large portions of data that are outdated, irrelevant, or duplicates of existing data. Examples include files like printer driver disks for DOS operating systems—spanning over 20 years back—which are typically unnecessary and simply increase storage and backup costs. Data has been analyzed by Arctera Information Governance application.

Legacy data can span 20+ years

Old files only add unnecessary storage and backup costs

Digitisation and Discovery

Legacy data isn’t limited to paper archives. Digitised content—especially when migrated from old systems—can still be unmanaged. Without proper classification, digitisation simply shifts the problem from one format to another. Organisations must assess whether old data is needed and ensure it is stored securely and appropriately.

Metadata – The First Layer of Insight

Metadata provides essential clues about a file’s origin and lifecycle: creation date and creator, last accessed date and reader, last modified date and modifier, file type, size, and permissions. However, metadata can be unreliable. System migrations, external vendors, or outdated software may corrupt timestamps. Typically, the modification date is the most trustworthy indicator of a file’s age.

Content Classification Is Essential

Metadata alone isn’t enough. Organisations must classify content to understand what’s inside each file. Tools can detect personal identifiers, financial data, or confidential terms. Classification enables automation, retention enforcement, and risk mitigation. Without it, legacy data remains a blind spot—and a liability.

AI Without Data Awareness Is a Risk

AI tools like Microsoft Copilot or ChatGPT can process vast amounts of data—but if your legacy files contain outdated, sensitive, or misclassified content, AI may expose it unintentionally. Before deploying AI, ensure your data is classified, governed, and access-controlled. Otherwise, you risk amplifying existing vulnerabilities.

Cloud Migration Doesn’t Equal Modernisation

Migrating legacy data to the cloud “as-is” is common—but dangerous. Moving unmanaged files to Microsoft 365 or Google Workspace does not reduce risk or update content. Old formats (e.g. WordPerfect 5.1) remain unsupported, and sensitive data remains exposed unless actively governed.

Migration must be paired with classification, clean-up, and policy enforcement. For example, in one environment, there were thousands of files that could no longer be content-classified, but notably, we found hundreds of WordPerfect 5.x files, all from around 1990—over 35 years old. Opening these files is difficult, as software support often no longer exists.

Environment Limitations

Governance capabilities vary across platforms. Microsoft 365 and Google Workspace offer different features depending on licensing level. Legacy fileservers, by default, lack classification, access auditing, and retention enforcement. These can be added using third-party tools but require investment and planning.

Conclusion

Legacy data is often overlooked, yet it holds both risks and opportunities. By identifying what exists, analysing its content, and applying clear retention rules, organisations can reduce exposure, improve compliance, and prepare for future innovations like AI.

But remember: migrating data to the cloud without governance doesn’t solve the problem—it simply relocates it.

This is Part 2 of our 4-part series on unstructured data. If you haven’t yet, check out Part 1: Unstructured Data and Its Challenges. In the next articles, we’ll go deeper into practical methods for managing and governing it.

Want to explore this topic further? Read our article “Unstructured Data Threats and How Top Experts Say You Can Handle It”. Click here to read more!

Background Information of the Data Protection Survey 2021 – 2024

by

The data protection survey has been conducted since 2021. Responses to the survey have been requested via email and social media.

  • In 2024, 41 individuals responded to the survey.
  • In 2023, 51 individuals responded to the survey.
  • In 2022, 102 individuals responded to the survey.
  • In 2021, 56 individuals responded to the survey.

The response period has been approximately 2 months, and no profiling of the respondents was carried out. The profile of the respondents as well as the size of their organizations has remained very similar, and therefore the results are now available for four years. From these responses, we are already able to observe emerging trends in many areas, such as “is staff trained regularly” or “is GDPR beneficial”.

The results are presented in the report as statistical groups, and the answers of individual respondents cannot be inferred. Personalization data related to survey invitations is deleted from the system within 3 months. Multiple-choice and rating-scale questions are reported as charts. Open-ended responses are listed in the report verbatim, with some highlights included in the survey summary.

It is reasonable to assume that the respondents represent individuals who are at least to some extent interested in the topic. On the other hand, from the verbatim responses it can be deduced that some take a rather critical view of the requirements of data protection law.

Respondent Backgrounds

During the survey years, the distribution of organization size has been very similar, as shown in Figure 1. However, in 2024, there were more organizations with over 1,000 employees among the respondents.

Figure 1: Number of Employees in the Organization

Similarly, the distribution of organizational sectors was very consistent during the survey years. The respondents consisted of a diverse range of companies as well as public sector organizations. See Figure 2

Figure 2: Business Sector / Type of Organization

The positions of the respondents also showed a very similar distribution during these years, and the respondents represent both decision-makers and employees. See Figure 3.

Figure 3: Position of the Respondents

Regarding the operating environment, the respondents included organizations operating in Finland, as well as internationally active organizations, and also international organizations whose headquarters are abroad. See Figure 4.

Figure 4: Respondents’ Area of Operation

Return here to the survey results!

Further Information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech

040 5666 900
juha@gdprtech.com

Technology Meets Data Protection – What Does a Technical Project Specialist Bring to Data Protection Work?

by

Data protection is not only about legal matters. As organizations become more digital and the processing of personal data shifts into increasingly complex systems and system environments, the importance of technical expertise in data protection work grows.

For efficient and purposeful execution, project management capabilities are also required. When these are combined, the result is the role of a technical project manager.

Data protection is continuous work

The GDPR and other data protection regulations set requirements that, in practice, are fulfilled through technology. Data protection work is not a one-time action, but continuous development – and also about tolerating imperfection. If you polish one area to perfection, another may soon begin to fray. That is why the realistic target level of data protection work is often 8+ rather than 10.

Data protection efforts are typically carried out both as part of ongoing program work and as individual projects. Larger one-time initiatives are best organized in project form, ensuring cost-efficient and effective execution. Projects have a beginning, a middle, and an end – unlike continuous work, where loose ends can easily disappear into the whole and resourcing often remains insufficient.

It is also important to note that data protection work is carried out so that, in the event of exceptional situations, operations remain controlled. It is a completely different matter to act prepared in working groups during normal office hours than to react in haste, with incomplete information and inadequate resources.

Technical project expertise as part of modern business

Technical project expertise brings practicality, efficiency, and impact to data protection work. At its core, it is about the understanding and execution capability through which regulatory requirements are implemented in practice.

Data protection is not only about compliance. It is part of modern, responsible, and sustainable business.

Would you like to hear more about how we can help your organization? Get in touch!

 

Data Protection Survey 2024: GDPR Is Already Part of Everyday Life, but Not Fully in Practice

by

The Finnish company GDPR Tech Oy has, in cooperation with its partner Tutkimusvoima (Raimo Pöllänen), conducted a survey on the current state of data protection since 2021. The study examines how the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act have affected the operations of companies and organizations in Finland.

The research results provide unique and new insights into the GDPR and its impacts in Finland. The findings help analyze the current state and development of data protection in Finnish organizations. The survey content has remained the same since 2021 to ensure reliable tracking of developments.

Data protection work is carried out in organizations in accordance with GDPR, the EU’s General Data Protection Regulation, and is generally considered beneficial. However, exceptional situation drills are still carried out in only about one-third of organizations.

You can find more detailed information about the study and respondents here!

Key Statistics on Compliance with Data Protection in Finland in 2024

  • The majority of respondents feel that GDPR and the national Data Protection Act have increased trust in the processing of personal data. The figure has risen from 71% in 2021 to 88% in 2024 – a significant increase in trust.
  • Nearly four out of five respondents (78%) believe that GDPR benefits the organization. Open-text responses support this, for example, with observations related to information management.
  • Concern among respondents about their own personal data has grown from about 44% previously to 54%.
  • Still, only 60% of respondents believe that organizations take sufficient care of data protection.
  • Emergency and disaster drills have increased compared to previous years, and now about 39% of organizations have carried them out.

Trust in Data Protection Work Is Growing – Organizations Also See the Benefits

Nearly 90% of respondents in 2024 believe that GDPR and the national Data Protection Act have improved trust in data processing. The percentage has grown from 71.4% in 2021 to 88% in 2024 – a significant increase.

More than 78% of respondents feel that GDPR benefits the organization. This continues the trend that began in 2021: the initial perception that “GDPR prohibits everything” has changed. Now it is recognized that data protection work can also have positive effects. This is also well reflected in the responses – although some still consider GDPR harmful.

Survey Respondent
(GDPR) complicates things in every possible way. I would no longer want to deal with the consumer when you only fear that some loophole will remain open and you will be taken to court because of it.
Survey Respondent
(GDPR) benefits: data destruction, clarity of processes.
Survey Respondent
(GDPR) threats: of course, identity theft can be a problem, but the responsibility should lie with the seller, not the buyer. Identity theft should not be the threat – instead, creating the customer relationship should be so clear that there is no room for misuse.
Survey Respondent
(GDPR) opportunities: I suppose IT systems will gradually learn managed destruction. The end result may be a good process, but I am not entirely convinced of its benefits.

Image 1: Trust in data processing – yes responses

Image 2: Does GDPR benefit your organization – yes responses

GDPR Did Not Remain Solely the Responsibility of IT

According to the 2021 survey, responsibility for data protection work lay with different units, such as IT, finance, HR, and legal departments. In the 2024 responses, the share of finance has, somewhat surprisingly, decreased significantly.

Image 3: Which unit/units in your organization are responsible for data protection (GDPR)?

Risk management has improved at least for 2024. In 2023, however, there was a declining trend, with risks not being assessed. IT plays a significant role in practical data protection work – particularly in data security and technical safeguards – but risk management in organizations is generally not part of IT’s responsibilities.

The 2024 responses show a clear improvement in the management of risks related to personal data. Behind the responses may also be increased awareness of data breaches highlighted in the media.

Image 4: Has your organization assessed the risks related to personal data?

What is concerning are the answers to the question “Do you think your organization has taken sufficient care of data protection?” The share of “NO” answers has risen from 25.5% in 2023 to as much as 29% in 2024.

“In customer work, one still sees situations where the attitude is that data protection is not our responsibility. For example, a customer service manager refused to participate in a data protection impact assessment workshop led by the Data Protection Officer because ‘data protection does not belong to us.’ In that organization, training has been available, but not everyone has completed it – this is visible in practice.”

Juha Sallinen, CEO of GDPR Tech

Image 5: In your opinion, has your organization taken sufficient care of data protection?

Survey Respondent
There are clear frameworks for the retention of personal data.
Survey Respondent
Affects all activities involving the processing, confidentiality, retention, and disclosure of information linked to individuals.

One in Five Employees Is Not Trained in Data Protection

Of respondents, 80% report that new employees are given data protection guidance as part of onboarding. This means that one-fifth of respondent organizations do not train new employees on data protection during orientation. Some respondents reported that employees are not always remembered in this regard, and regular training is often entirely missing.

According to Juha Sallinen, CEO of GDPR Tech, practical measures in organizations are often fragmented:

“We have often noticed situations where an organization trained its staff in some way in 2018, but not since. It is also common that GDPR or data protection training is available, but completion is not monitored.”

Survey Respondent
Provide a good foundation for the processing of personal data
Survey Respondent
The obstacle and threat is that public sector work has been made more difficult, and mandatory supervision costs thousands per year. Public administration must verify its activities, which are often already statutory. But this verification costs money that goes into matters unbeneficial to operations. GDPR slows down and complicates public administration activities and costs money. It does not make our work easier or faster.

Image 6: Is GDPR guidance part of employee onboarding?

Image 7: Has your staff been trained to operate in compliance with GDPR?

Awareness of Sanctions Has Grown – Attitudes Toward GDPR Vary

The survey asked respondents whether they are aware of possible consequences of data protection violations, such as fines or bans on processing. All respondents (100%) stated that they are well aware of what happens if the law is not complied with adequately. In 2021, the corresponding share was about 93%. We assume that awareness has grown partly due to media coverage of data protection sanctions.

Respondents also commented on the topic from very different perspectives. Some felt that organizations now take GDPR issues more seriously than before, while others considered the level of awareness still insufficient.

Survey Respondent
Slows down and complicates things greatly, even though I consider it important. There is also a constant worry and fear about whether I have done something wrong.
Survey Respondent
Dozens of systems and thousands of employees. Turnover is high. Attention must be paid to managing the data of former employees.

Image 8: Awareness of consequences if the law is not complied with

Trust Is Missing – Data Protection Needs Concreteness

Based on the responses, the level of trust in organizations’ data protection practices is concerning. When asked whether they are worried about the processing of their own data, a majority (54%) said they were. The implementation of data protection and risk management clearly requires more work in order to strengthen trust in the processing of personal data.

Image 9: Are you concerned about your own data?

Cookies Track – but Few Know How

The question “Did you know that website cookies track your behavior and target marketing of other products as well?” measured respondents’ awareness of website tracking technologies – and the results are worrying. Despite all the cookie and tracking consents, respondents are still uncertain about what happens on websites and what is done with their data.

The uncertainty is likely increased by the fact that in Finland, user tracking on websites is supervised not by the Data Protection Ombudsman but by Traficom, whose guidelines on the subject were already published in 2021. These guidelines have likely gone unnoticed by many. In Finland, there still do not appear to be consequences or sanctions for the use of tracking technologies contrary to official guidelines.

Image 10: Did you know that website cookies track your behavior and target marketing for other products as well?

Survey respondent
GDPR largely defines to whom marketing messages can be sent and what must be taken into account in marketing automation. In addition, website privacy policies and cookie practices have had to be adjusted quite a lot because of GDPR.

Data Protection Work Requires Continuity – Projects Alone Are Not Enough

Based on responses over four years, it appears that in many organizations, data protection measures have been carried out as projects, but their integration into everyday operations has remained insufficient. Although GDPR is still a relatively young regulation, user awareness is clearly increasing.

Discussions and media often highlight data protection legislation and the need for related communication. An increasing number of consumers are concerned about their personal data and expect organizations to act lawfully with regard to GDPR as well.

The number of data breaches and sanctions that have reached the media in Finland is still very small compared to many other European countries. This is partly explained by Finland’s small population.

Respondents’ comments highlight concerns related to artificial intelligence, data use, and costs. The views are similar to those seen in projects and training. Misinterpretations of GDPR still exist, leading to perceptions of it as too restrictive. In organizations where data protection work has been integrated into everyday operations, clear benefits have been achieved, such as harmonization, clarification, and process efficiency.

“Trust is key – with transparency and accountability, customer trust in the company can be strengthened,” Sallinen concludes.

More information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech

040 5666 900
juha@gdprtech.com

Perspectives on Outsourced Data Protection

by

Can the role of a Data Protection Officer (DPO) be outsourced, and what are the benefits?

“The role of a DPO can certainly be outsourced,” says GDPR specialist and outsourced Data Protection Officer Jaanaliisa Kuoppa. Surprisingly large organizations have chosen this solution. The position requires specialized expertise and continuous skills development, which few organizations have the capacity to maintain. Most companies also lack the resources to appoint a full-time expert to the role, Jaanaliisa continues.

The benefit of outsourcing lies in the fact that a dedicated expert gathers insights and solutions across different clients, which in turn effectively benefits the purchasing client organization.

When should the role of a DPO not—or should not—be outsourced? Outsourcing is not recommended when the role requires 100% commitment and intensive collaboration with the organization’s experts and management, Jaanaliisa explains. Even then, outsourcing is possible, but it may not necessarily be optimal for the client organization.

If the Work Is Not Done, Data Protection Debt Accumulates

“The DPO’s workload varies significantly depending on the industry, the size of the organization, and its geographical scope and location,” explains GDPR Tech founder, information management and technology architect Juha Sallinen.

Juha provides a concrete example: “One of our new clients had previously allocated only four hours per month of one person’s time for data protection work. This led to a data protection debt, because in that time it is not possible to provide guidance, training, self-development, let alone monitor changes in privacy interpretations, and so on.”

The client initially tackled the debt with 16 hours of monthly effort. Since then, the workload has been adjusted to eight hours per month, supplemented by additional tasks as needed.

In an international organization, simply monitoring state-specific privacy changes in the United States alone consumes significant work hours. A functional structure in international organizations often seems to be a “Global Head of Privacy” supported by an operational team, Juha notes. The DPO’s role is to guide and supervise, which often requires a determined, project manager–like approach.

Data Protection Debt Can Be Reduced Through Determined Project Work

GDPR Tech’s Technical Project Manager, Mervi Hongisto, shares her perspective:
“It is essential to define how much data protection work will be carried out proactively and in a controlled manner during regular office hours. At the same time, it must be assessed what risks the organization is willing to accept regarding tasks left undone.”

Even a small amount of systematic neglect is inadequate for risk management and therefore not advisable.

“Good project management provides concrete tools and visibility into the key priorities of data protection work,” Mervi continues. An outsourced project manager can at best provide the client with a prioritization overview that is aligned with the client’s other assignments. At the same time, effective implementation is ensured, which also builds the client’s own expertise.

Responsibility of the Service Provider and the Client

“There is a known case where a single consultant acts as the DPO for as many as 600 organizations,” Juha Sallinen points out. This raises a critical question about the adequacy of resources. The client bears the responsibility to ensure that the purchased service truly meets the requirements of data protection work. The provider, in turn, must be able to demonstrate that the resources and expertise are sufficient to serve such a wide client base. This highlights the importance of quality and accountability in data protection practices.

Ideally, an organization itself should have enough knowledge to decide whether it wants—or is able—to outsource the DPO role.

At GDPR Tech, we have a structured, cost-effective, and easily customizable approach to delivering the service.

Responsibility itself cannot be outsourced, even if many other things can.

Considering Outsourcing Your Data Protection Work?

DPOaaS (Data Protection Officer as a Service) is a safe and cost-effective solution when you need an expert to help your company meet current, legally mandated data protection obligations—without hiring a full-time employee.

Get in touch also if you need a temporary substitute, a backup person for your DPO work, or a sparring partner to assess the state of your data protection!

Experts Featured in the Article:

Jaanaliisa Kuoppa – GDPR Specialist, Outsourced Data Protection Officer, part of the DPO Team

Juha Sallinen – Entrepreneur, Information Management and Technology Architect, Outsourced Data Protection Officer, part of the DPO Team

Mervi Hongisto – Technical Project Manager, Outsourced Data Protection Officer, part of the DPO Team

Customer Story: Information Security Is Continuous Work – Keitele Group’s Story of Staff Training

by

Keitele Group is a family-owned company that has grown to become one of Finland’s largest operators in mechanical wood processing and the country’s largest manufacturer of wood products. In a large, internationally operating company, information security is taken seriously. The Group’s IT Manager, Veli Matti Häkkinen, explains that the importance of information security has increased further with digitalization and today’s interconnected world. Managing information security has become increasingly demanding, requiring constant effort.

Information Security as a Support for Modern Business

The interconnectedness of the world has brought new threats that are no longer dependent on physical location. “The number of risks has increased, and the situation has steadily worsened,” Häkkinen notes, highlighting especially the impact of artificial intelligence. Fraud has become more convincing and harder to detect.

To respond to these growing threats, Keitele Group relies on technical solutions such as strict access control, as well as regular training. Häkkinen welcomes the requirements set by legislation on companies regarding information security: “Nowadays, laws related to information security also place demands on companies – and that is a good thing,” Häkkinen states.

Staff Training in a Key Role

Keitele Group invests in the information security and data protection competence of its staff through training programs. In 2024, around 200 employees participated in training, and the company is already planning further sessions for 2025.

The training has proven highly useful, successfully raising awareness of the importance of information security particularly among basic users: “That is exactly what we aimed to achieve with the training,” Häkkinen explains. The training has been effective especially thanks to its flexibility – each employee can complete it at a time that suits them.

Raising Awareness Through Training

The level of difficulty in the training has been perceived as especially successful. “Feedback has shown that the training is pitched at exactly the right level: not too simple and not too complex,” the IT Manager says. Although overall participation was strong, Häkkinen points to an interesting observation. “While the activity level in training was good, there remains a small group of individuals who were not interested. It raises the question of how much they care about information security at all.”

The training has proven to be an effective way to raise staff awareness, even if measuring the exact benefits is challenging. At Keitele Group, training will continue in the future as part of the company’s ongoing development of information security: “Training will be continued in the future as well,” Häkkinen confirms.

Staying Alert for the Future

Keitele Group continues to invest in information security and is already planning further training sessions for 2025. “We actively monitor the development of security threats and are ready to react if necessary,” Häkkinen emphasizes.

When asked for his advice to other IT managers who have not yet invested in data protection or security, Häkkinen’s view is clear: information security requires continuous effort. According to him, those responsible for information security are well aware of its importance and the growing threats. Information security is not a one-time project but a continuous process requiring regular attention and resources. Training has proven to be an effective way to strengthen Keitele Group’s information security and data protection expertise. “I recommend this kind of training,” Häkkinen concludes.

Learn more about Keitele Group here: https://www.keitelegroup.fi/

Explore GDPR Tech’s training offering here: https://gdprtech.com/en/gdpr-training/

Data Protection Officer of the Year 2024: Juha Sallinen Still Has Plenty of Work Ahead

by

GDPR Tech’s entrepreneur and founder, data protection consultant Juha Sallinen, was awarded Data Protection Officer of the Year 2024.

The award is granted annually to a person who exemplarily develops data protection practices and promotes networking, expertise, and the sharing of knowledge across organizational boundaries. The recognition was presented at the Data Protection Day 2025 event on January 28, 2025, organized by Alma Insights and the Office of the Data Protection Ombudsman. The awardees were selected by a panel of experts.

Here is a closer look at Juha’s and GDPR Tech’s journey to this point.

The Journey to Becoming a Data Protection Expert

Juha’s path into data protection has been multifaceted. Before full-time data protection work, Juha worked for nearly 20 years in the IT sector, where he witnessed major technological shifts such as the development of cloud services and the related risks. His experience as a trainer, along with roles at IT company Tieto, HP Enterprise, cybersecurity company Symantec, and data management company Veritas Technologies, built a solid foundation for understanding data protection compliance. His background as an engineer, combined with a later eMBA degree, has provided him with a broader perspective on both technical and business-related questions.

Since 2016, Juha has been an entrepreneur at GDPR Tech, whose core mission is to bring trust to data protection through practical measures. This includes both training and technical actions that help organizations improve their data protection practices.

Photo credit: Alma Insights. From left to right: Reijo Aarnio, Oona Matinpalo, Juha Sallinen, Kimmo Rousku, Ida-Emilia Laasonen.

The Biggest Challenges in Data Protection Work

According to Juha, one of the greatest challenges in data protection work is prioritization – how to allocate time and resources effectively while considering companies’ very different starting points regarding data protection.

“I still see organizations that haven’t even started data protection work,” Juha notes, giving a telling example: “One of the most common passwords in Finland is still ‘salasana’ (‘password’). If that’s the level of security, you can’t assume that data is otherwise properly protected either—or if the password is simply empty – and yes, there are those too. So there is still a lot of work to be done, and my expertise must be put to best use in supporting each client’s individual situation.”

“Between 2016–2018, a lot of misinformation about GDPR circulated, and some of these misconceptions still persist in many companies,” Juha remarks.

He cites as an example the belief that GDPR does not apply to all companies. In reality, GDPR is in one way or another part of every company’s operations. “Of course, common sense should be used—for instance, a sole proprietor in excavation work for a municipality has little to do with personal data. However, if a sole proprietor works as a doctor for a wellbeing services county, then they are already dealing with completely different and much more sensitive information.”

Expertise Means Continuous Learning

Data protection legislation is constantly evolving, and keeping up to date requires regular study and active monitoring. Juha maintains his expertise by attending selected industry seminars, such as Alpine Privacy Days and the Nordic Privacy Arena, which also provide valuable insights into legislative developments in other countries.

Juha highlights an interesting example from South Africa’s POPIA (Protection of Personal Information Act), which contains unusually severe sanctions for data protection violations – ranging from fines (10 million rand) to prison sentences (up to 10 years).

“At the moment, we are monitoring the situation in the United States: will the adequacy decision (Data Privacy Framework) remain in force, will it collapse, or will there be a Schrems III? These decisions would have a direct impact on the U.S.-based services organizations use, such as cloud-based office applications.”

Bringing Out Personal Strengths in Data Protection Work

Data protection work may initially seem like an overwhelming whole, with much to consider from both a legal and technical perspective.

“It’s easy to get overloaded in data protection work,” Juha confirms.

That’s why he encourages professionals to find their own area of specialization and to network with other players in the field. Collaboration and knowledge-sharing are key in a constantly evolving sector.

Data Management at the Core of Data Protection

Juha notes that the EU’s GDPR has already proven to be a kind of “gold standard”, which is referred to in, for example, China’s PIPL and Brazil’s LGPD legislation. At the same time, however, constantly increasing regulation can create overload for many organizations.

“Continuously developing new technologies, such as artificial intelligence in its various forms, bring new challenges to data protection, and their effects will be seen for a long time to come,” Juha reflects.

For 2025, Juha predicts that the biggest data protection theme will be data management. Many data breaches occur because old information is stored without proper management. “The ‘D’ in GDPR—data—must be remembered: in addition to contracts, monitoring and technical measures are needed to protect people’s information,” Juha stresses.

The Daily Life and Future of a Data Protection Professional

To balance his daily data protection work, Juha spends winters snowboarding and summers working on various projects at his countryside home, where he lives.

“If I weren’t working in data protection, I would probably focus even more on data management,” Juha reflects. The last ten years have been very interesting, and data protection continues to provide new challenges and learning opportunities.

The Data Protection Officer of the Year diploma will end up on the wall of Juha’s remote office, serving as a reminder of his long and eventful journey in the field of data protection. He is particularly pleased that he was recognized as an outsourced Data Protection Officer.

Juha also wants to give credit to others in the field: “Everyone working in data protection would deserve similar recognition, as the field is full of skilled and dedicated professionals.”

Finally, Juha compares data protection to his beloved sport, snowboarding—with a twinkle in his eye:

“Data protection practices are not a hindrance, but an opportunity for smoother and safer operations—just like a good snowboard that makes the ride enjoyable instead of slowing you down!”

GDPR Tech congratulates the VAHTI Data Protection Development Working Group for receiving the 2024 Data Protection Act of the Year award.

Background on the 2021-2023 Data Protection Survey

by

The data protection survey was conducted from 2021 onwards. Responses to the survey were solicited via email and social media.

  • In 2023, 51 people responded to the survey.
  • In 2022, 102 people took part in the survey.
  • In 2021, 56 people completed the survey.

A response period of approximately 2 months was given and no profiling of respondents was carried out. The profile of the respondents and the size of the organisations has remained very similar, so the results are now available for three years. From these responses, we can already see trends in a number of areas, such as ‘are staff trained regularly’ or ‘is the GDPR useful’.

The results are treated in the report as a statistical set, and no individual respondent’s answers can be inferred from the results. Personal data associated with the questionnaires will be deleted from the system within 3 months. Choice and rating questions are reported as graphs. The proprietary responses to the open-ended questions are listed in the report, with some highlights in the survey summary.

It can be assumed that the respondents to the survey represent people who are at least somewhat interested in the subject. On the other hand, it can be inferred from the responses to the survey that some of them are quite critical of the requirements of the Data Protection Act.

As far as the respondents are concerned, the distribution of the size of the organisations was very similar in the years of response. It is worth noting that almost 60% of respondents work in organisations with more than 50 employees and just over 25% of respondents work in organisations with more than 1,000 employees. Clearly, both small and large organisations are interested in GDPR issues. See Figure 1.

Figure 1: Number of staff in the organisation

Työntekijää = (Number of) Employees

The distribution of organisations by sector was also very similar across the years of response. Respondents were a diverse mix of companies and public sector actors. See Figure 2.

Figure 2: Sector of the enterprise/organisation

B to B palveluiden myynti yrityksille (liike-elämän palvelut) = Sale of B to B services to businesses (business services)
B to C palveluiden myynti kuluttajille = Sale of B to C services to consumers
B to B tuotteiden myynti yrityksille (teollisuus, laitteet) = B to B product sales to companies (industry, equipment)
B to C tuotteiden myynti kuluttajille = Sale of B to C products to consumers
Julkisen sektorin organisaatio = Public sector organisation

The distribution of respondents’ professional positions was very similar across these years. Respondents represent both decision-makers and employees. See Figure 3.

Figure 3: Professional positions of respondents

Johto = Upper management
Esihenkilö = Manager
Ylempi toimihenkilö = Senior staff member
Toimihenkilö tai työntekijä = Staff member or employee

With regard to the working environment, respondents included employees from companies operating in Finland, companies operating internationally and international companies with headquarters abroad. See figure 4.

Figure 4: Respondents’ working environments

Toimimme vain Suomessa = We only operate in Finland
Toimimme kansainvälisesti, päätoimipaikka Suomessa = We operate internationally, with headquarters in Finland
Toimimme kansainvälisesti, päätoimipaikka ulkomailla = We operate internationally, with headquarters abroad

Return here to the research results!

Lisätietoja

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech 

040 5666 900
juha@gdprtech.com

Data Protection Survey 2023: GDPR benefits organisations, but not enough effort is being put into it

by

Organisations are implementing data protection work and complying with the GDPR, the EU’s General Data Protection Regulation, to protect personal data. Organisations also perceive that they benefit from these activities. However, only less than a third of organisations practice contingency planning.

The Finnish company GDPR Tech, together with Garagelabs, has conducted a survey from 2021 onwards focusing on the current state of data protection. The survey examines how the EU General Data Protection Regulation (EU GDPR), the Data Protection Act (TSA) or similar regulations have affected the operations of companies and organisations operating in Finland.

The results of the study provide unique and unparalleled insights into the GDPR and its impact in Finland. This data will enable an analysis of the current state of data protection and its reception in Finland. The survey has been similar from 2021 onwards to allow us to monitor the development of the topic and changes over time.

You can access additional background information about the study and the respondents here!

Main data protection compliance statistics in Finland in 2023

      • The majority of respondents feel that the GDPR, as well as the national data protection law, has improved their confidence in the processing of their data. This has increased from 71.4% in 2021 to 78.0% in 2023. This is a significant increase in confidence.
      • However, only 60% of respondents feel that data protection is adequately taken care of in their organisation.
      • Public administrations in particular, but also other stakeholders, are affected by the Data Management Act, which affected more than 43% of respondents in 2023.
      • The majority of respondents (over 80%) know who the Data Protection Officer is in their organisation.
      • Emergency and disaster drills have increased, but still only around a third of organisations (31.4% in 2023) carry them out.


    Confidence in data processing and perceived benefits continue to grow

    In 2023, almost 80% of respondents feel that the GDPR and national data protection law have improved their trust in data processing. This is an increase from 71.4% in 2021 to 78% in 2023.

    More than 68% of respondents feel that the GDPR has benefited their organisation. This is a continuation of the trend in 2021, where the initial ‘GDPR says no to everything’ attitude has been replaced by a recognition that data protection can also have a positive impact. This is clearly reflected in respondents’ attitudes, although some still perceive the GDPR as a disadvantage.

    Respondent
    The lack of understanding results in numerous unnecessary data processing agreements, documents and reports. I see the benefit of increased attention to data protection issues, even if the measures are still mainly taken to fulfill formalities rather than to actually improve data protection.
    Respondent
    Costs are incurred and data training, digital learning and surveys are carried out, but the work does not change because it cannot change.
    Respondent
    Data processing is now much more systematic, which has made it easier to find information, for example. The disadvantage is the need to document and maintain that data. I still see the threat that people will not comply with these regulations and thus there will be data leaks. The opportunity I see is that information in general will become more organised and manageable.


    Figure 1: Confidence in data processing? – Yes answers


    Figure 2: Does GDPR benefit your organisation? – Yes answers

     

    One in five believe GDPR implementation is the sole responsibility of the IT department

    According to the 2021 survey, a range of departments were responsible for data protection, including IT, finance, HR and legal. The legal department accounted for up to a third of data protection work, according to respondents. In the 2022 and 2023 surveys, the legal department’s share dropped to less than 28%.

    In the 2023 survey, around a fifth of respondents felt that GDPR had been left to IT alone. Risk management is a particular concern. In 2023, a downward trend was observed where risks had not been adequately mapped. Although the practical work of data protection, especially in terms of technical safeguards, is mainly done in IT. Risk management in the organisation is generally not the responsibility of IT.


    Figure 3: Has GDPR left only IT to deal with?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Figure 4: Has your organisation identified the risks associated with personal data? – Yes answers

     

    The answer to the question “Do you think you have adequate data protection in place?” is also a cause for concern, with a quarter of respondents (25.5%) answering in the negative.

    “We have been conducting data protection snapshots with different organisations for years and we can see an increase in employee awareness. People are now more critical of the organisation’s practices and more open about their findings. Especially in medium-sized companies, risk management usually does not cover data protection risks as part of ongoing risk management. Data protection operates as a separate process”.

    Juha Sallinen, CEO – GDPR Tech


    Figure 5: Do you think that data protection has been adequately taken care of?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Respondent
    Awareness of data protection issues has improved substantially and processes have been developed, etc.
    Respondent
    The risk is old systems, partly external users of the systems, people also do not understand the purpose of the data protection law or how it affects their work.

    At least one in four employees has no data protection training

    Just over 60% of respondents say that new employees receive a data protection briefing as part of their induction. Worryingly, however, from a good performance in 2021, when almost 90% of employees were trained in GDPR, this figure has fallen to 75% in 2023. Meanwhile, a quarter of respondents do not train new employees on data protection as part of their induction.

    Some respondents mentioned that employees are not always reminded to familiarise themselves with data protection, and there is also a lack of regular training. According to Juha Sallinen, CEO of GDPR Tech, practical action in organisations is often fragmented:

    ‘We have often seen a situation where an organisation has trained its staff in some way in 2018, but nothing has happened since. It is also common that GDPR and data protection training is available, but performance is not monitored.”

    Respondent
    There is a lot of data phishing going on, so it takes a lot of effort in terms of privacy and security, but of course it is essential and understandable in any sector. Also, we're dealing with sensitive data, so it's particularly important to make sure that everyone understands the importance of data protection and doesn't see it as a mandatory evil or as something they can get away with.
    Respondent
    GDPR is a complete waste of time and resources. Nothing has changed except that websites are full of pop-ups and everything is more complicated.


    Figure 6: Is GDPR guidance part of the induction?


    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say


    Figure 7: Do you have GDPR compliance training in place for your staff?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Finnish organisations are aware of GDPR consequences and sanctions

    Respondents were asked if they were aware of possible sanctions for data protection violations, such as fines or processing bans. 100% were aware of what happens if the law is not adequately complied with. This compares to 93% in 2021. We suspect that the increase in awareness has also been influenced by the news of data breaches that appear in the media from time to time.

    Some respondents felt that organisations are now taking GDPR more seriously, while others felt that there is still a lack of awareness.

    Figure 8: Are you aware that there may be sanctions (fines or processing bans) for non-compliance with the GDPR? (Not applicable to public administration in Finland) – Yes answers

     

    Confidence in the protection of personal data at organisational level is generally low

    It is worrying that respondents have little confidence in the ability of organisations to protect their data. When asked if they were concerned about how their own data was being handled, just over 50% said they were not concerned. However, by 2021-2023, more than 40% of respondents said they were concerned about how their own data is handled. Clearly, more work is needed on data protection enforcement and risk management to improve trust in the way our data is handled.

    Figure 9: Recently, there have been cases in the media where personal data have been leaked to criminals. Are you concerned about your personal data? – Yes answers

     

    Website cookies and visitor tracking are not clear to everyone

    The question ‘Are you aware that website cookies are used to track your behaviour and to target marketing of other products’ asked respondents about their awareness of website tracking technologies. The answers provide some worrying information. Despite granting cookies and tracking permissions, respondents are less aware of what is happening on the website and therefore less aware of how their data is being used.

    This can be confusing. For example, in Finland the monitoring of website users is under the supervision and guidance of Traficom and not the Data Protection Ombudsman. Many people may have missed Traficom’s 2021 guidelines, and in Finland it appears that there will be no sanctions for cookie processing.

    Figure 10: Did you know that website cookies track your behaviour?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

    Respondent
    Since we have data, we need to use it for productivity, economic growth and to fight crime. Data and AI are needed.

    There is still room for improvement in data protection work

    The responses over the three years suggest that many organisations have implemented GDPR activities as a project, but these activities have not been translated into day-to-day operations. Although the GDPR is still a relatively new regulation, user awareness of it continues to grow. Discussions and media coverage often focus on data protection legislation and how to communicate it more widely. 

    In Finland, the number of data breaches that have reached the media and the resulting sanctions has been relatively low compared to other European countries. Nevertheless, more and more consumers are concerned about their own data and expect organisations to act in accordance with the law, including the GDPR.

    “For the first time, AI and the use of data also appear in respondents’ comments. The different views of respondents remind us of the challenges we see in projects and training. We have noticed misunderstandings about the topic, which is why some feel that GDPR ‘bans everything’. In organisations where policies are clearly defined and data protection is part of daily operations, benefits such as consistency and operational clarity have been achieved. Process efficiency and operational clarity have also been observed among respondents. The importance of trust is highlighted in several responses – transparency and accountability can improve customer trust in the organisation,” Sallinen concludes.

    Further information:

    Juha Sallinen
    Entrepreneur, Information Management and Technology Architect
    GDPR Tech 

    040 5666 900
    juha@gdprtech.com