Data Protection Survey 2023: GDPR benefits organisations, but not enough effort is being put into it

Organisations are implementing data protection work and complying with the GDPR, the EU’s General Data Protection Regulation, to protect personal data. Organisations also perceive that they benefit from these activities. However, only less than a third of organisations practice contingency planning.

The Finnish company GDPR Tech, together with Garagelabs, has conducted a survey from 2021 onwards focusing on the current state of data protection. The survey examines how the EU General Data Protection Regulation (EU GDPR), the Data Protection Act (TSA) or similar regulations have affected the operations of companies and organisations operating in Finland.

The results of the study provide unique and unparalleled insights into the GDPR and its impact in Finland. This data will enable an analysis of the current state of data protection and its reception in Finland. The survey has been similar from 2021 onwards to allow us to monitor the development of the topic and changes over time.

You can access additional background information about the study and the respondents here!

Main data protection compliance statistics in Finland in 2023

      • The majority of respondents feel that the GDPR, as well as the national data protection law, has improved their confidence in the processing of their data. This has increased from 71.4% in 2021 to 78.0% in 2023. This is a significant increase in confidence.
      • However, only 60% of respondents feel that data protection is adequately taken care of in their organisation.
      • Public administrations in particular, but also other stakeholders, are affected by the Data Management Act, which affected more than 43% of respondents in 2023.
      • The majority of respondents (over 80%) know who the Data Protection Officer is in their organisation.
      • Emergency and disaster drills have increased, but still only around a third of organisations (31.4% in 2023) carry them out.


    Confidence in data processing and perceived benefits continue to grow

    In 2023, almost 80% of respondents feel that the GDPR and national data protection law have improved their trust in data processing. This is an increase from 71.4% in 2021 to 78% in 2023.

    More than 68% of respondents feel that the GDPR has benefited their organisation. This is a continuation of the trend in 2021, where the initial ‘GDPR says no to everything’ attitude has been replaced by a recognition that data protection can also have a positive impact. This is clearly reflected in respondents’ attitudes, although some still perceive the GDPR as a disadvantage.

    Respondent
    The lack of understanding results in numerous unnecessary data processing agreements, documents and reports. I see the benefit of increased attention to data protection issues, even if the measures are still mainly taken to fulfill formalities rather than to actually improve data protection.
    Respondent
    Costs are incurred and data training, digital learning and surveys are carried out, but the work does not change because it cannot change.
    Respondent
    Data processing is now much more systematic, which has made it easier to find information, for example. The disadvantage is the need to document and maintain that data. I still see the threat that people will not comply with these regulations and thus there will be data leaks. The opportunity I see is that information in general will become more organised and manageable.


    Figure 1: Confidence in data processing? – Yes answers


    Figure 2: Does GDPR benefit your organisation? – Yes answers

     

    One in five believe GDPR implementation is the sole responsibility of the IT department

    According to the 2021 survey, a range of departments were responsible for data protection, including IT, finance, HR and legal. The legal department accounted for up to a third of data protection work, according to respondents. In the 2022 and 2023 surveys, the legal department’s share dropped to less than 28%.

    In the 2023 survey, around a fifth of respondents felt that GDPR had been left to IT alone. Risk management is a particular concern. In 2023, a downward trend was observed where risks had not been adequately mapped. Although the practical work of data protection, especially in terms of technical safeguards, is mainly done in IT. Risk management in the organisation is generally not the responsibility of IT.


    Figure 3: Has GDPR left only IT to deal with?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Figure 4: Has your organisation identified the risks associated with personal data? – Yes answers

     

    The answer to the question “Do you think you have adequate data protection in place?” is also a cause for concern, with a quarter of respondents (25.5%) answering in the negative.

    “We have been conducting data protection snapshots with different organisations for years and we can see an increase in employee awareness. People are now more critical of the organisation’s practices and more open about their findings. Especially in medium-sized companies, risk management usually does not cover data protection risks as part of ongoing risk management. Data protection operates as a separate process”.

    Juha Sallinen, CEO – GDPR Tech


    Figure 5: Do you think that data protection has been adequately taken care of?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Respondent
    Awareness of data protection issues has improved substantially and processes have been developed, etc.
    Respondent
    The risk is old systems, partly external users of the systems, people also do not understand the purpose of the data protection law or how it affects their work.

    At least one in four employees has no data protection training

    Just over 60% of respondents say that new employees receive a data protection briefing as part of their induction. Worryingly, however, from a good performance in 2021, when almost 90% of employees were trained in GDPR, this figure has fallen to 75% in 2023. Meanwhile, a quarter of respondents do not train new employees on data protection as part of their induction.

    Some respondents mentioned that employees are not always reminded to familiarise themselves with data protection, and there is also a lack of regular training. According to Juha Sallinen, CEO of GDPR Tech, practical action in organisations is often fragmented:

    ‘We have often seen a situation where an organisation has trained its staff in some way in 2018, but nothing has happened since. It is also common that GDPR and data protection training is available, but performance is not monitored.”

    Respondent
    There is a lot of data phishing going on, so it takes a lot of effort in terms of privacy and security, but of course it is essential and understandable in any sector. Also, we're dealing with sensitive data, so it's particularly important to make sure that everyone understands the importance of data protection and doesn't see it as a mandatory evil or as something they can get away with.
    Respondent
    GDPR is a complete waste of time and resources. Nothing has changed except that websites are full of pop-ups and everything is more complicated.


    Figure 6: Is GDPR guidance part of the induction?


    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say


    Figure 7: Do you have GDPR compliance training in place for your staff?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

     

    Finnish organisations are aware of GDPR consequences and sanctions

    Respondents were asked if they were aware of possible sanctions for data protection violations, such as fines or processing bans. 100% were aware of what happens if the law is not adequately complied with. This compares to 93% in 2021. We suspect that the increase in awareness has also been influenced by the news of data breaches that appear in the media from time to time.

    Some respondents felt that organisations are now taking GDPR more seriously, while others felt that there is still a lack of awareness.

    Figure 8: Are you aware that there may be sanctions (fines or processing bans) for non-compliance with the GDPR? (Not applicable to public administration in Finland) – Yes answers

     

    Confidence in the protection of personal data at organisational level is generally low

    It is worrying that respondents have little confidence in the ability of organisations to protect their data. When asked if they were concerned about how their own data was being handled, just over 50% said they were not concerned. However, by 2021-2023, more than 40% of respondents said they were concerned about how their own data is handled. Clearly, more work is needed on data protection enforcement and risk management to improve trust in the way our data is handled.

    Figure 9: Recently, there have been cases in the media where personal data have been leaked to criminals. Are you concerned about your personal data? – Yes answers

     

    Website cookies and visitor tracking are not clear to everyone

    The question ‘Are you aware that website cookies are used to track your behaviour and to target marketing of other products’ asked respondents about their awareness of website tracking technologies. The answers provide some worrying information. Despite granting cookies and tracking permissions, respondents are less aware of what is happening on the website and therefore less aware of how their data is being used.

    This can be confusing. For example, in Finland the monitoring of website users is under the supervision and guidance of Traficom and not the Data Protection Ombudsman. Many people may have missed Traficom’s 2021 guidelines, and in Finland it appears that there will be no sanctions for cookie processing.

    Figure 10: Did you know that website cookies track your behaviour?

    Kyllä = Yes
    Ei = No
    En osaa sanoa = I can’t say

    Respondent
    Since we have data, we need to use it for productivity, economic growth and to fight crime. Data and AI are needed.

    There is still room for improvement in data protection work

    The responses over the three years suggest that many organisations have implemented GDPR activities as a project, but these activities have not been translated into day-to-day operations. Although the GDPR is still a relatively new regulation, user awareness of it continues to grow. Discussions and media coverage often focus on data protection legislation and how to communicate it more widely. 

    In Finland, the number of data breaches that have reached the media and the resulting sanctions has been relatively low compared to other European countries. Nevertheless, more and more consumers are concerned about their own data and expect organisations to act in accordance with the law, including the GDPR.

    “For the first time, AI and the use of data also appear in respondents’ comments. The different views of respondents remind us of the challenges we see in projects and training. We have noticed misunderstandings about the topic, which is why some feel that GDPR ‘bans everything’. In organisations where policies are clearly defined and data protection is part of daily operations, benefits such as consistency and operational clarity have been achieved. Process efficiency and operational clarity have also been observed among respondents. The importance of trust is highlighted in several responses – transparency and accountability can improve customer trust in the organisation,” Sallinen concludes.

    Further information:

    Juha Sallinen
    Entrepreneur, Information Management and Technology Architect
    GDPR Tech 

    040 5666 900
    [email protected]

    What's new?

    In the blog you will find current information, interesting articles and a lot of detailed information related to data protection.

    Read these also

    Share on social media

    Request a quote for services