Background on the 2021-2023 Data Protection Survey

The data protection survey was conducted from 2021 onwards. Responses to the survey were solicited via email and social media.

  • In 2023, 51 people responded to the survey.
  • In 2022, 102 people took part in the survey.
  • In 2021, 56 people completed the survey.

A response period of approximately 2 months was given and no profiling of respondents was carried out. The profile of the respondents and the size of the organisations has remained very similar, so the results are now available for three years. From these responses, we can already see trends in a number of areas, such as ‘are staff trained regularly’ or ‘is the GDPR useful’.

The results are treated in the report as a statistical set, and no individual respondent’s answers can be inferred from the results. Personal data associated with the questionnaires will be deleted from the system within 3 months. Choice and rating questions are reported as graphs. The proprietary responses to the open-ended questions are listed in the report, with some highlights in the survey summary.

It can be assumed that the respondents to the survey represent people who are at least somewhat interested in the subject. On the other hand, it can be inferred from the responses to the survey that some of them are quite critical of the requirements of the Data Protection Act.

As far as the respondents are concerned, the distribution of the size of the organisations was very similar in the years of response. It is worth noting that almost 60% of respondents work in organisations with more than 50 employees and just over 25% of respondents work in organisations with more than 1,000 employees. Clearly, both small and large organisations are interested in GDPR issues. See Figure 1.

Figure 1: Number of staff in the organisation

Työntekijää = (Number of) Employees

The distribution of organisations by sector was also very similar across the years of response. Respondents were a diverse mix of companies and public sector actors. See Figure 2.

Figure 2: Sector of the enterprise/organisation

B to B palveluiden myynti yrityksille (liike-elämän palvelut) = Sale of B to B services to businesses (business services)
B to C palveluiden myynti kuluttajille = Sale of B to C services to consumers
B to B tuotteiden myynti yrityksille (teollisuus, laitteet) = B to B product sales to companies (industry, equipment)
B to C tuotteiden myynti kuluttajille = Sale of B to C products to consumers
Julkisen sektorin organisaatio = Public sector organisation

The distribution of respondents’ professional positions was very similar across these years. Respondents represent both decision-makers and employees. See Figure 3.

Figure 3: Professional positions of respondents

Johto = Upper management
Esihenkilö = Manager
Ylempi toimihenkilö = Senior staff member
Toimihenkilö tai työntekijä = Staff member or employee

With regard to the working environment, respondents included employees from companies operating in Finland, companies operating internationally and international companies with headquarters abroad. See figure 4.

Figure 4: Respondents’ working environments

Toimimme vain Suomessa = We only operate in Finland
Toimimme kansainvälisesti, päätoimipaikka Suomessa = We operate internationally, with headquarters in Finland
Toimimme kansainvälisesti, päätoimipaikka ulkomailla = We operate internationally, with headquarters abroad

Return here to the research results!


Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech 

040 5666 900
[email protected]

Data Protection Survey 2023: GDPR benefits organisations, but not enough effort is being put into it

Organisations are implementing data protection work and complying with the GDPR, the EU’s General Data Protection Regulation, to protect personal data. Organisations also perceive that they benefit from these activities. However, only less than a third of organisations practice contingency planning.

The Finnish company GDPR Tech, together with Garagelabs, has conducted a survey from 2021 onwards focusing on the current state of data protection. The survey examines how the EU General Data Protection Regulation (EU GDPR), the Data Protection Act (TSA) or similar regulations have affected the operations of companies and organisations operating in Finland.

The results of the study provide unique and unparalleled insights into the GDPR and its impact in Finland. This data will enable an analysis of the current state of data protection and its reception in Finland. The survey has been similar from 2021 onwards to allow us to monitor the development of the topic and changes over time.

You can access additional background information about the study and the respondents here!

Main data protection compliance statistics in Finland in 2023

    • The majority of respondents feel that the GDPR, as well as the national data protection law, has improved their confidence in the processing of their data. This has increased from 71.4% in 2021 to 78.0% in 2023. This is a significant increase in confidence.
    • However, only 60% of respondents feel that data protection is adequately taken care of in their organisation.
    • Public administrations in particular, but also other stakeholders, are affected by the Data Management Act, which affected more than 43% of respondents in 2023.
    • The majority of respondents (over 80%) know who the Data Protection Officer is in their organisation.
    • Emergency and disaster drills have increased, but still only around a third of organisations (31.4% in 2023) carry them out.

Confidence in data processing and perceived benefits continue to grow

In 2023, almost 80% of respondents feel that the GDPR and national data protection law have improved their trust in data processing. This is an increase from 71.4% in 2021 to 78% in 2023.

More than 68% of respondents feel that the GDPR has benefited their organisation. This is a continuation of the trend in 2021, where the initial ‘GDPR says no to everything’ attitude has been replaced by a recognition that data protection can also have a positive impact. This is clearly reflected in respondents’ attitudes, although some still perceive the GDPR as a disadvantage.

The lack of understanding results in numerous unnecessary data processing agreements, documents and reports. I see the benefit of increased attention to data protection issues, even if the measures are still mainly taken to fulfill formalities rather than to actually improve data protection.
Costs are incurred and data training, digital learning and surveys are carried out, but the work does not change because it cannot change.
Data processing is now much more systematic, which has made it easier to find information, for example. The disadvantage is the need to document and maintain that data. I still see the threat that people will not comply with these regulations and thus there will be data leaks. The opportunity I see is that information in general will become more organised and manageable.
Previous slide
Next slide

Figure 1: Confidence in data processing? – Yes answers

Figure 2: Does GDPR benefit your organisation? – Yes answers


One in five believe GDPR implementation is the sole responsibility of the IT department

According to the 2021 survey, a range of departments were responsible for data protection, including IT, finance, HR and legal. The legal department accounted for up to a third of data protection work, according to respondents. In the 2022 and 2023 surveys, the legal department’s share dropped to less than 28%.

In the 2023 survey, around a fifth of respondents felt that GDPR had been left to IT alone. Risk management is a particular concern. In 2023, a downward trend was observed where risks had not been adequately mapped. Although the practical work of data protection, especially in terms of technical safeguards, is mainly done in IT. Risk management in the organisation is generally not the responsibility of IT.

Figure 3: Has GDPR left only IT to deal with?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say


Figure 4: Has your organisation identified the risks associated with personal data? – Yes answers


The answer to the question “Do you think you have adequate data protection in place?” is also a cause for concern, with a quarter of respondents (25.5%) answering in the negative.

“We have been conducting data protection snapshots with different organisations for years and we can see an increase in employee awareness. People are now more critical of the organisation’s practices and more open about their findings. Especially in medium-sized companies, risk management usually does not cover data protection risks as part of ongoing risk management. Data protection operates as a separate process”.

Juha Sallinen, CEO – GDPR Tech

Figure 5: Do you think that data protection has been adequately taken care of?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say


Awareness of data protection issues has improved substantially and processes have been developed, etc.
The risk is old systems, partly external users of the systems, people also do not understand the purpose of the data protection law or how it affects their work.
Previous slide
Next slide

At least one in four employees has no data protection training

Just over 60% of respondents say that new employees receive a data protection briefing as part of their induction. Worryingly, however, from a good performance in 2021, when almost 90% of employees were trained in GDPR, this figure has fallen to 75% in 2023. Meanwhile, a quarter of respondents do not train new employees on data protection as part of their induction.

Some respondents mentioned that employees are not always reminded to familiarise themselves with data protection, and there is also a lack of regular training. According to Juha Sallinen, CEO of GDPR Tech, practical action in organisations is often fragmented:

‘We have often seen a situation where an organisation has trained its staff in some way in 2018, but nothing has happened since. It is also common that GDPR and data protection training is available, but performance is not monitored.”

There is a lot of data phishing going on, so it takes a lot of effort in terms of privacy and security, but of course it is essential and understandable in any sector. Also, we're dealing with sensitive data, so it's particularly important to make sure that everyone understands the importance of data protection and doesn't see it as a mandatory evil or as something they can get away with.
GDPR is a complete waste of time and resources. Nothing has changed except that websites are full of pop-ups and everything is more complicated.
Previous slide
Next slide

Figure 6: Is GDPR guidance part of the induction?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

Figure 7: Do you have GDPR compliance training in place for your staff?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say


Finnish organisations are aware of GDPR consequences and sanctions

Respondents were asked if they were aware of possible sanctions for data protection violations, such as fines or processing bans. 100% were aware of what happens if the law is not adequately complied with. This compares to 93% in 2021. We suspect that the increase in awareness has also been influenced by the news of data breaches that appear in the media from time to time.

Some respondents felt that organisations are now taking GDPR more seriously, while others felt that there is still a lack of awareness.

Figure 8: Are you aware that there may be sanctions (fines or processing bans) for non-compliance with the GDPR? (Not applicable to public administration in Finland) – Yes answers


Confidence in the protection of personal data at organisational level is generally low

It is worrying that respondents have little confidence in the ability of organisations to protect their data. When asked if they were concerned about how their own data was being handled, just over 50% said they were not concerned. However, by 2021-2023, more than 40% of respondents said they were concerned about how their own data is handled. Clearly, more work is needed on data protection enforcement and risk management to improve trust in the way our data is handled.

Figure 9: Recently, there have been cases in the media where personal data have been leaked to criminals. Are you concerned about your personal data? – Yes answers


Website cookies and visitor tracking are not clear to everyone

The question ‘Are you aware that website cookies are used to track your behaviour and to target marketing of other products’ asked respondents about their awareness of website tracking technologies. The answers provide some worrying information. Despite granting cookies and tracking permissions, respondents are less aware of what is happening on the website and therefore less aware of how their data is being used.

This can be confusing. For example, in Finland the monitoring of website users is under the supervision and guidance of Traficom and not the Data Protection Ombudsman. Many people may have missed Traficom’s 2021 guidelines, and in Finland it appears that there will be no sanctions for cookie processing.

Figure 10: Did you know that website cookies track your behaviour?

Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say

Since we have data, we need to use it for productivity, economic growth and to fight crime. Data and AI are needed.

There is still room for improvement in data protection work

The responses over the three years suggest that many organisations have implemented GDPR activities as a project, but these activities have not been translated into day-to-day operations. Although the GDPR is still a relatively new regulation, user awareness of it continues to grow. Discussions and media coverage often focus on data protection legislation and how to communicate it more widely. 

In Finland, the number of data breaches that have reached the media and the resulting sanctions has been relatively low compared to other European countries. Nevertheless, more and more consumers are concerned about their own data and expect organisations to act in accordance with the law, including the GDPR.

“For the first time, AI and the use of data also appear in respondents’ comments. The different views of respondents remind us of the challenges we see in projects and training. We have noticed misunderstandings about the topic, which is why some feel that GDPR ‘bans everything’. In organisations where policies are clearly defined and data protection is part of daily operations, benefits such as consistency and operational clarity have been achieved. Process efficiency and operational clarity have also been observed among respondents. The importance of trust is highlighted in several responses – transparency and accountability can improve customer trust in the organisation,” Sallinen concludes.

Further information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech 

040 5666 900
[email protected]

The Future of Unstructured Data: Lessons from the Pegasus Airlines Data Breach

Recently, in a webinar panel discussion moderated by Juha Sallinen, the colossal data breach at Pegasus Airlines in 2022 came under the spotlight. Panel members included Nina Barzey, a lawyer and advocate, and Petri Aalto, a modern workplace and security solution architect.

The data breach of Turkish Pegasus Airlines in 2022 reignited discussions around unstructured data and the nuances surrounding its security, especially in cloud environments. With the breach compromising about 6.5TB of data, in this case equivalent to whopping 23 million file, the experts are pushing for better strategies and policies in handling such vast amounts of information. The exposed data was stored in an AWS S3 bucket – a cloud storage solution.

The discussion gravitated towards several vital questions: What measures should organizations adopt to avoid such breaches? Is cloud storage of personal information safe? Who holds the responsibility when such breaches occur?

Data Breach: The Case of Pegasus Airlines

Pegasus Airlines’ breach exposed approximately 23 million files, all stored in an AWS S3 bucket. The fact that such a large dataset was improperly secured and without any password in a cloud environment prompts crucial questions:

  • Is it safe to store personal data in the cloud?
  • How can breaches like this be prevented?
  • What are the implications for individuals whose data has been leaked?

Architectural Challenges and Design Solutions

Petri Aalto, an expert on the panel, identified potential root causes of such breaches. He pointed out that many organizations opt for cloud storage simply because it’s economical. Other times, mergers, acquisitions, or data migrations drive the shift. Regardless of the reasons, if there’s no proper architectural design and risk assessment, such breaches are bound to occur. Another concern he raised was the possible absence of proper security processes when business units use personal credit cards to make cloud purchases.

Moreover, as businesses look to automate their operations, ensuring that security protocols are maintained and updated becomes paramount. Otherwise, the ease of cloud storage could be offset by the vulnerability it presents.

Legal Ramifications and International Data Transfers

While the advantages of cloud storage are evident, the legal complications cannot be ignored. Nina Barzey, another panellist, points out that businesses often overlook GDPR guidelines. For example, where data is stored becomes irrelevant if the organization isn’t clear about the nature of the data they possess. Barzey emphasized the importance of educating staff about data privacy rules. According to Barzey, even if top management is familiar with regulations like GDPR, it’s often the case that the general staff isn’t.

Barzey also pointed out that storing data in the cloud, especially sensitive information, poses severe challenges. These challenges range from the legal implications of international data transfers to ensuring proper oversight over sub-suppliers or IT suppliers. Furthermore, the transfer of data from one country to another, as in the Pegasus case where a Turkish company stored data on an American-based cloud, brings in complexities related to data privacy laws.

Recognizing and Addressing the Data Breach

One of the more pressing issues highlighted during the conversation was the responsibility that comes with data control. If a company, as a data controller, collects data from subjects, they must be accountable for how their IT suppliers manage that data, especially in a cloud environment. Without this insight, there’s a clear breach of data protection laws like GDPR.

“If you are a data controller who owns and collects data from data subjects, it’s imperative that you maintain oversight over any sub-suppliers, including IT providers. This is a primary reason why public authorities in Sweden often opt out of storing sensitive or integrity-sensitive data in the cloud; they can’t conduct a thorough legal analysis of all the data. Many major IT and cloud service providers don’t permit scrutiny of their internal operations. A breach occurs when an organization, such as one using a cloud, doesn’t maintain proper insight and control over stored data, violating GDPR guidelines. If you can’t oversee your sub-suppliers, it’s advisable not to engage them. However, the level of oversight might vary based on the data’s sensitivity, whether it’s highly confidential or basic details like contact information. Ultimately, the onus of responsibility rests with the data controller,” Barzey notes.

Such large-scale data breaches are alarming, primarily when they involve personal details. Barzey emphasizes the importance of notifying affected individuals, particularly when sensitive data, such as health-related information, is involved.

The Cloud Dilemma: Public vs. Private

Different cloud types bring various security measures. The debate between public and private clouds often centres on the kind of data being stored. Aalto suggests that the nature of the data should dictate the choice. For instance, sensitive data might be best placed in private clouds, while less critical data can reside in public clouds. Public clouds, private clouds, and on-premises services all have their pros and cons. The decision on which one to opt for should be rooted in an organization’s data strategy, considering the kind of data to be stored.

“The nature of the data largely dictates the choices we make. When considering the private or public cloud, decisions hinge on specific requirements. What do you expect from your service provider? There are ongoing debates regarding the security of public cloud services compared to in-house solutions. For instance, while we might consider using our own HSM module to encrypt data, we must also ensure that our encryption mechanisms and processes align with those in a public cloud environment,” Aalto summarized.

The Way Forward

In conclusion, the Pegasus Airlines breach serves as a potent reminder of the challenges and responsibilities tied to unstructured data. Summarizing the discussion, Juha Sallinen asserted that organizations must prioritize understanding their data and they need a robust data strategy. This strategy should define the type of data to be stored and the preferred storage mediums. Monitoring and ensuring adherence to this strategy is just as crucial.

An approach backed by legal compliance and accountability would likely yield a resilient data protection framework, minimizing the risks of breaches in the future. From a legal standpoint, Nina advocates continuous training. Ensuring staff understand the nature and importance of the data they handle is crucial for maintaining data integrity and security. Encrypting sensitive data and deploying techniques like data loss prevention can further enhance security.

Gain further understanding by viewing the entire webinar. Click here to view it for free!

Explore Further and delve into “Unstructured Data Threats and Expert Solutions” in our premier blog post. Click here to read more!

Meet the Webinar Panellists

Juha Sallinen: Founder and manager of GDPR Tech, Juha brings to the table a deep understanding of data protection and its real-world applications.

Nina Barzey: Hailing from Sweden, Nina is a seasoned lawyer who spearheads her own advocate bureau. A specialist in data privacy law, she’ll be shedding light on the legal intricacies of our discussion.

Petri Aalto: Based in Finland, Petri is a solution architect with a rich history of crafting and implementing global architectural designs. His vast experience with various global organizations offers a unique perspective on today’s topics.

Unstructured Data Threats and How Top Experts Say You Can Handle It

In the realm of data management, the term “unstructured data” has increasingly become a buzzword. While the data-driven future beckons us with promise, it’s essential to manage the vast amounts of unstructured data effectively and securely. In the latest webinar presented by Juha Sallinen, the founder and manager of GDPR Tech, the complex world of unstructured data took centre stage. Juha was joined by a distinguished panel of Nina Barzey and Petri Aalto who brought different perspectives to the conversation. The webinar discussion was not just about understanding what unstructured data means but also about identifying the potential risks associated with it and how to manage them effectively. Let’s decode the message the panel shared.

Defining Unstructured Data

According to an IDC whitepaper from 2019, it’s anticipated that by 2025, most of the data will be considered unstructured. But what exactly is unstructured data? Unlike structured data, which is organized in rows, columns, and databases, and is easily searchable and protected, unstructured data is quite the opposite. Examples of structured data might be a customer list in a CRM or a well-maintained database of transactions. Unstructured data, on the other hand, can be files, spreadsheets, emails, or even IoT-generated data. It’s not stored in a specific format or location, making it hard to track, manage, and protect.

The Growth and Challenges of Unstructured Data

Each year sees an exponential growth in data, especially with the shift towards cloud storage. However, despite the growth and the evolution of storage mechanisms, much of this data remains unstructured. Alarmingly, it’s estimated that 80-90% of organizational data is unstructured, and about 60% of that is either cold or dark data. This refers to data that’s outdated and should either be deleted, archived, or purged.

Yet, the challenges don’t end there. Many organizations lack clarity on data ownership. The question of “Who owns this piece of data?” often goes unanswered. Without clear ownership, it becomes a challenge to make decisions regarding data retention or protection. And, many a time, sensitive data finds its way into inappropriate storage spaces like public file servers or unprotected SharePoint sites. Compounding these challenges are inconsistent access management processes and the ever-evolving landscape of technology, which often leaves users confused about the correct protocols for storing and sharing data.

Risks of Mismanaged Unstructured Data

In the webinar, Sallinen and the panel pointed out a few glaring issues that arise from mishandling unstructured data:

  • Lack of Data Ownership: Without clear ownership, decision-making becomes a challenge.
  • Inadequate Data Protection: Often, unstructured data isn’t adequately secured, making it accessible to anyone within an organization.
  • Sensitive Data in the Wrong Places: Health data, for instance, might be found in unprotected servers or shared sites.
  • Issues with Identity Access Management: Even if processes are in place, they’re not always followed.

These mishandlings can lead to significant data breaches, with vast amounts of data being lost to third parties. From ACER reporting a loss of 160GB of data to Panasonic admitting a breach due to unauthorized access, the examples are numerous and alarming.

Gaining Control Over Unstructured Data

Addressing these challenges requires a holistic approach. Organizations need to relook at their security and privacy strategies, map out data architecture, and have a clear retention policy. The data access strategy also needs revisiting to ensure that only authorized personnel have access to sensitive data.

One of the primary recommendations from Sallinen is to conduct a data assessment. Understanding where the data resides, its format, ownership, relevance, and legal base is crucial. The age-old data privacy acronym of CIA – Confidentiality, Integrity, and Availability – was reiterated. Data should be confidential, unchanged (maintaining its integrity), and available only to those authorized to access it.

Five-Step Approach to Unstructured Data Management

Based on the studies and GDPR Tech data assessments, approximately 15% of the data has been actively used within the last year. Sallinen’s approach towards addressing the unstructured data challenge can be summarized in a few steps:

  1. End-User Communication: Engage with the end-users, inform them about data assessments, and motivate them for data cleaning.
  2. Fix Access Issues: Remove any blanket access rights, ensuring data is only accessible to relevant users.
  3. Data Governance: Ensure your data governance plans align with the reality on the ground.
  4. Archive or Delete Old Data: Regularly purge outdated data.
  5. Classify Data Content: Understand the nature of data, ensuring compliance with data privacy laws at all levels.

One of the tools Sallinen also mentions is data mapping. By classifying data based on its content and relevance, organizations can pinpoint potential issues and act accordingly. It’s about finding the proverbial “needle in the haystack.”

Effective Management of Unstructured Data for Tomorrow’s Growth

The world of data is vast and constantly evolving. While unstructured data presents significant challenges, with the right strategies and practices in place, organizations can mitigate risks. As Sallinen and the panel put it, it’s about planning, acting, checking, and then repeating the cycle. With diligent management and consistent reviews, unstructured data doesn’t have to be an enigma. Instead, it can be an asset that, when harnessed correctly, can drive value and growth.

The future might be data-driven, but it’s up to organizations today to ensure that this data is managed effectively and securely.

Discover more insights by watching the full webinar. Click here to view it for free!

Dive Deeper and explore “The Future of Unstructured Data: Lessons from the Pegasus Airlines Data Breach” within this webinar series. Click here to read the full article!

Meet the Webinar Panelists

Juha Sallinen: Founder and manager of GDPR Tech, Juha brings to the table a deep understanding of data protection and its real-world applications.

Nina Barzey: Hailing from Sweden, Nina is a seasoned lawyer who spearheads her own advocate bureau. A specialist in data privacy law, she’ll be shedding light on the legal intricacies of our discussion.

Petri Aalto: Based in Finland, Petri is a solution architect with a rich history of crafting and implementing global architectural designs. His vast experience with various global organizations offers a unique perspective on today’s topics.

It is worth investing in the implementation of even a small change


In November blog, Juha wrote about the importance of planning and control as guarantors of data protection level – both important things. Well-designed means that services and systems are also easy to use. The vast majority of employees of companies and communities have little to know or care about the GDPR; This is quite normal, and even a fanatical security manager or data protection officer can’t hope for more.

This is why it is essential to consider how GDPR requirements are communicated, trained, and implemented internally at the design stage.

Communication should start at the stage of the project where it is known what and what kind of data is stored and used, i.e., right after the data’s status and mode has been mapped. Unfortunately, communication is often left in a couple of e-mails anointing that the legislator has given us an announcement and which must be complied as it is. The guidelines then use a few French lines to tell what not to do, and that’s it.

In my experience, at this point, there is a risk of making the first mistake and a rather expensive one. Coercion is a lousy motivator: if the staff is even explained in outline what it is about and how abuses can affect business, the human mind is more effortless to embrace and motivated to work on privacy. The GDPR is an indigestible legal text to interpret without direct guidance on how people should handle the requirements. Still, in capable hands, conditions can be used to identify necessary practical actions designed to be usable in an organization.

Employee training should always be tailored to the client’s needs and situation and not cut corners by directly copying what has been done in the past. A well-planned training will consider the rationale for the data protection work, making it easier for employees to understand and accept the requirements. Of course, data protection is the company’s responsibility, but blundering in your job usually slows down the career development or may even be the end of it. Ignorance is no longer a valid justification.

Unfortunately, usability is often left at the level of beautiful presentations and diagrams, which are not listened to in the staff’s experience and expertise. Who knows better than the team how the company handles things? The inherent sin of service design, on the other hand, is the lack of testing already at the design stage; in practice, processes are often copied, and so, not necessarily designed for concerned needs.

To end up with, a GDPR or data mapping project designed and implemented in collaboration with an expert is always better than a Google search generated list(s) of measures that are primarily left to staff to interpret and enforce. In the worst case, it remains partly undone.

At GDPR Tech, we have expertise in the planning of communication, training, and service usability. A reasonable additional investment in implementing the change will pay for itself when the project results are evaluated afterward. The mere order from management to act one way or another is likely to remain a shorthanded performance leaving the secure processing of personal data not to become part of the organizations operating culture.

The author is an all-rounder in business information security who has recently foul into the intricacies of service design and experienced enlightenment about usability as an integral part of the whole.

Put your infrastructure risks in control with analytical tools

As in modern world, business is under constant change and outsourcing is new black, it is challenging to analyse risk status reliably. Data should be available in all situations – also during exceptional times – as demanded by business, and by compliance rules like NIS-D and GDPR. For business, data availability and infrastructure are keys for success.

In 2020 it is common to have infrastructure solutions from on-premises, service providers and cloud sources. These combinations can easily establish an environment which is difficult to observe as whole. This is a concern not only for costs, but also for data availability and business continuity. Happy is the CIO or CTO, who is in charge of services and hardware provided by one or two companies. With booming business, a growing number of providers and environments is the rule.

  • Cloud IaaS from there, BaaS from there. Outsourcing from another service provider. All from a bit different vendors – Rubrik, Veeam, EMC Isilon, HP Data Protector, IBM TSM, VMware, Hyper-V, AWS, Windows, HP-UX, Red Hat, to start with.

Dashboard view? Is all this needed anymore? Which version are we running? Are all versions up-to-date or on planned level? Are all servers under backup routines? Is our possible restore under recovery time objective (RTO), which is set by that critical business unit? Is there a growing number of new virtual services and servers – and are they at all under control or even under backup?

These should be routine checks and therefore hardly any problems at all. Still, headlines “Organisation down and hackers took the environment down – no backups to restore operations” pop up in media. If there is no control of the whole, fundamental risks can come true. 

Therefore, risk mitigation trends and mitigation analysis should be key visuals for those in charge.

For organisations operating internationally, the current status-quo is capacity scattered and under-used in many platforms. Scattered, under-used but definitely overpaid.

Compliance, directives, regulations and standards (like PCI-DSS, NIS-D, GDPR) often demand data availability. Naturally and typically this is a demand by business unit too. 

Cloud, no-cloud or hybrid-cloud overview dashboard to all environments?

With this kind of tool, it is easier to answer to those difficult questions: Are there risks that have not been traced? Is all capacity under control? Is there an environment that is a historical leftover? (You know those “use this only during the migration” or ”temporary”. We know.)

Reports presented in this blog are consistent and standardised even though the data sources and vendors are not. These reports are automatically created with a tool, which generates correlation over the set of products. All data is imported from sources without installed agents and securely, generating correlations and corrective actions for your usage. 

With this tool it is easy to drill-down deeper, e.g. to a very technical level or go to higher cost or charge-back level.

The tool is Veritas APTARE IT analytics. We use this tool also for infrastructure assessments, which analyse an adequate number of infrastructure core components. Based on this data, corrective actions and risk mitigation plans are created for you to support your decision making. Ask more or schedule a demo.

Was there any common sense in GDPR in the year of 2019?

GDPR Tech had it’s third year and anniversary in December 2019. Now it is good time to look back what has been accomplished. There are always things to do, also from our side.

Since the beginning of the company our motto has been: “In GDPR related issues, common sense is allowed”. With that motto we mean that GDPR covers a large area, and you shouldn’t overact or underestimate it. There are many elements for being “GDPR compliant”, but don’t overdo. Especially don’t focus only on e.g.  documentation, and forget to accomplish actual corrective actions.

GDPR has been considered to be complex and difficult to implement. To simplify GDPR compliance, risk-based approach is the easiest way on the way to compliance. Sweet and simple. We control and/or process living individuals’ data. GDPR sets the frames how we can use that data. One of the goals is and has been to harmonize national legislation to GDPR, thus rules being the same all over the Europe. Intention is to support individuals, not to stop normal business operations.

Why has this regulation been introduced as everybody follows the law and takes such good care of all data?

Well. There are several reasons for that, e.g. data breaches, companies selling our personal data, and political influencing based on personal data.  Many companies make good profits with selling our personal data to third parties, be it for sales, marketing or illegal purposes. Some of the companies really believe that they do own YOUR and my personal data. Yep, that is your data, not Googles or Facebook’s.

In Europe GDPR is a reality and that reality is here now

But is it here? After 25th May 2018 nothing happened, and scaremongering consults apocalypse vanished to void? In reality it has taken more time as cases are complex.

Think about these examples: has there been any “privacy by design/default” or common sense involved?

  • Airline carrier in UK left webpages without patches (technically, those boring cybersecurity and updates to components). About 500 000 (0,5M) individuals’ personal data was copied to third party, possible giving data to hackers in big time. Would you feel comfortable to be one of the many?
  • Municipality in Norway and its school stored without protection pupils’ passwords and login information in one file, which contained also access data of under-age. Would it be happy to realize, that many of the other pupils have had access to your kid’s data?
  • Hospital in Germany mixed patients when invoicing them, and many patients got treatment bill with somebody else’s patient data. Your kid, who’s an exchange student in Germany, is she one of the winners of being involved?

Yap, we also think that this kind of things should not happen. Local authorities in these countries were thinking the same way, and when the gentle nudging did not help, they sanctioned the orgs with tens of thousands to millions of euros, depending on the case and its level of severity.

What to do to be compliant in 2020? Can we do a project, one-off, lift-and-shift and off we go?

Our approach to GDPR readiness is divided to four sections, which the following pie presents. (those who have met me, have seen my horrible pie presentations in whiteboard, sorry).

  • Regulation, legal affairs, responsibilities, typically things like contracts, due diligence, data processing agreements and so on. (in many cases paperwork only, but this is also required)

But the legal advisory is not enough. Not at all, as GDPR also demands risk-based approach and “technical and organizational measures” as well as regarding “state of the art tools”. Therefore, we need three more parts of the pie to make it complete.

  • Guidance, trainings, applications, awareness, changes to status-quo
  • Security – technical and organisational aspects
  • Data management – both for structured and unstructured data (those M: drives with common directories, we know)

Project is a good start. But it’s only the beginning. Being compliant means keeping your new practices up-to-date and in good shape. It’s easier after you have taken the initial step. Things change, so remember impact assessments and updating your documentation.

Have a safe year 2020. Let’s make this year more secure than the previous one. And keep up with the good work you have done!

Juha Sallinen

Data relating to individuals in images – a risk in your unstructured data?

Do you store information of individuals in scanned images (e.g. driving license, passport) and is there a risk of this information not being genuinely protected? By default, this is an acceptable method to store data, but is the information really protected as well as it should be? How to be sure and how to identify possible risks in your unstructured data environment?

The challenge: We have been doing Dark Data Assessment since 2016, and from time to time we have faced situations where it would have been useful to know the potential risks of images. Challenging files may quite possibly account for over 8% of all of your data. In the case of terabytes or millions of files, it can be a taunting task to track down challenging content. How to identify images in large scale or from millions of files, which contain patterns relating to personal information (which is under EU GDPR or other regulations or guidelines)? Let’s look at an example.

On the left, we have a Finnish driving license, which also contains the social security number of the individual. On the right, we have a sample of the new Irish passport.

So, let’s take under consideration a typical large or medium-sized enterprise, having millions of files in the fileserver, intranet and emails. Are all those files protected? Is there a possibility, that there is data containing personal information that is stored in the wrong place? The answer almost certainly is yes. Since we started our assessment service, we have basically every single time found data that is in risk. How can we identify these files? Simply, we run our assessment service and identify the risks in the particular environment. Typically, most worrying targets are file servers and intranet servers, as they hold most of the data and are basically unstructured. We are now talking about that infamous M: disk and that shared folder labelled “common”.

Our assessment starts by carefully defining the scope and patterns to use. Then we scan the metadata and content. To content scanning we can also include optical character recognition (OCR) and examine the found data.

Regarding the images above, standard assessment would find and pinpoint them like this:

As we can see from the sample image of scanning results, in doing OCR for images, the quality of the image is important. While this might not be a 100% accurate method, manual search of images would be significantly less so.

Our standardized assessment, Dark Data Assessment – DDA 4D can help you with finding and securing your image files. Ask for more information on how to identify possible risk areas in your unstructured data environment and lower risks! Keep in mind, that DDA 4D moreover offers other benefits such as saving storage and backup capacity.

Keep your data safe – Order Dark Data Assessment now!

#DDA #DarkDataAssessment #GDPR

GDPR Start Package

GDPR Start Package released

GDPR (General Data Protection Regulation) Start package has been released now in English too! Our GDPR Start Package solution is targeted for small to midsize companies to help them with the start of their GDPR journey.

The package helps the company to understand the requirements of GDPR and offers helps with the first steps towards GDPR compliancy. GDPR Start Package offers also training and certification for GDPR Awareness.

Prepare your organization for the EU General Data Protection Regulation (EU GDPR) with easy to implement steps

Prepare your organization for the GDPR with easy to implement steps

EU General Data Protection Regulation, GDPR, will come into effect on 25th of May 2018 after two-year transition time. All the organizations and companies that handle personal data of EU residents are under the regulation.  

The path to GDPR compliance is different in every organization. We want to support our customers to understand the requirements of EU General Data Protection Regulation and make possible to meet the requirements in practice. We offer data management tools, information security and variation of courses and trainings so meeting the requirements is as easy as possible. 

Following these three simple steps, you can easily ramp up your readiness for being GDPR compliant:

Knowledge of GDPR is a key

From awareness for the key persons to deeper knowledge – educate your staff of GDPR in any level via e-learning or classroom courses.

Regulation is about data

Know where your data is. So get a grip of your data flow with “Data Flow Mapping Tool”.

Assure your GDPR readiness

Document your efforts and plan for the possibly required changes to being compliant – organized documentation toolkit accelerates your effort.

Data flow mapping tool

Gain full visibility over the flow of personal data through your organization to meet the terms of the EU General Data Protection Regulation (GDPR).

The Data Flow Mapping Tool simplifies the process of creating data flow maps, giving you a thorough understanding of what personal data your organization processes and why, where it is held and how it is transferred. The Data Flow Mapping Tool is a Cloud-based application, licensed for up to five users and can be accessed via any compatible browser.

GDPR Documentation Toolkit

Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

• A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.

• Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.

• Direction and guidance from expert GDPR practitioners.

• Includes two licenses for the GDPR Staff Awareness E-learning Course.

Certified GDPR Foundation Distance Learning Training Course and Exam

Be ready for the GDPR by developing your knowledge of it with an accredited qualification. Learn in your own time and at your own pace about the Regulation and the implications and legal requirements for organizations. The GDPR Foundation qualification is a prerequisite for the GDPR Practitioner course.

• Duration: Six modules with a total course length of three hours – learn in your own time as your schedule allows.

• Format: Distance learning – save time and costs by accessing this recorded session from anywhere in the world whenever it suits you.

• Includes a complimentary copy of EU GDPR – A Pocket Guide.

GDPR Staff Awareness E-learning Course

This simple-to-use interactive modular e-learning programme for employees introduces the new GDPR and the key compliance obligations for organisations.

A key component of any organisation’s GDPR compliance framework is staff awareness and education. With significant fines for non-compliance from May 2018, it is essential that your staff have an understanding of the compliance requirements under the new regulation. The course includes:

• Web based course of EU GDPR

• Assessment module for testing your knowledge, which can be retake until passed

• Printable certificate for all learners who pass the test.

You may ask for customization options and volume discounts.

Please do not hesitate to ask about our other GDPR services! We are always happy to help you!