Organisations are implementing data protection work and complying with the GDPR, the EU’s General Data Protection Regulation, to protect personal data. Organisations also perceive that they benefit from these activities. However, only less than a third of organisations practice contingency planning.
The Finnish company GDPR Tech, together with Garagelabs, has conducted a survey from 2021 onwards focusing on the current state of data protection. The survey examines how the EU General Data Protection Regulation (EU GDPR), the Data Protection Act (TSA) or similar regulations have affected the operations of companies and organisations operating in Finland.
The results of the study provide unique and unparalleled insights into the GDPR and its impact in Finland. This data will enable an analysis of the current state of data protection and its reception in Finland. The survey has been similar from 2021 onwards to allow us to monitor the development of the topic and changes over time.
You can access additional background information about the study and the respondents here!
Main data protection compliance statistics in Finland in 2023
-
- The majority of respondents feel that the GDPR, as well as the national data protection law, has improved their confidence in the processing of their data. This has increased from 71.4% in 2021 to 78.0% in 2023. This is a significant increase in confidence.
- However, only 60% of respondents feel that data protection is adequately taken care of in their organisation.
- Public administrations in particular, but also other stakeholders, are affected by the Data Management Act, which affected more than 43% of respondents in 2023.
- The majority of respondents (over 80%) know who the Data Protection Officer is in their organisation.
- Emergency and disaster drills have increased, but still only around a third of organisations (31.4% in 2023) carry them out.
Confidence in data processing and perceived benefits continue to grow
In 2023, almost 80% of respondents feel that the GDPR and national data protection law have improved their trust in data processing. This is an increase from 71.4% in 2021 to 78% in 2023.
More than 68% of respondents feel that the GDPR has benefited their organisation. This is a continuation of the trend in 2021, where the initial ‘GDPR says no to everything’ attitude has been replaced by a recognition that data protection can also have a positive impact. This is clearly reflected in respondents’ attitudes, although some still perceive the GDPR as a disadvantage.
Figure 1: Confidence in data processing? – Yes answers
Figure 2: Does GDPR benefit your organisation? – Yes answers
One in five believe GDPR implementation is the sole responsibility of the IT department
According to the 2021 survey, a range of departments were responsible for data protection, including IT, finance, HR and legal. The legal department accounted for up to a third of data protection work, according to respondents. In the 2022 and 2023 surveys, the legal department’s share dropped to less than 28%.
In the 2023 survey, around a fifth of respondents felt that GDPR had been left to IT alone. Risk management is a particular concern. In 2023, a downward trend was observed where risks had not been adequately mapped. Although the practical work of data protection, especially in terms of technical safeguards, is mainly done in IT. Risk management in the organisation is generally not the responsibility of IT.
Figure 3: Has GDPR left only IT to deal with?
Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say
Figure 4: Has your organisation identified the risks associated with personal data? – Yes answers
The answer to the question “Do you think you have adequate data protection in place?” is also a cause for concern, with a quarter of respondents (25.5%) answering in the negative.
“We have been conducting data protection snapshots with different organisations for years and we can see an increase in employee awareness. People are now more critical of the organisation’s practices and more open about their findings. Especially in medium-sized companies, risk management usually does not cover data protection risks as part of ongoing risk management. Data protection operates as a separate process”.
Juha Sallinen, CEO – GDPR Tech
Figure 5: Do you think that data protection has been adequately taken care of?
Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say
At least one in four employees has no data protection training
Just over 60% of respondents say that new employees receive a data protection briefing as part of their induction. Worryingly, however, from a good performance in 2021, when almost 90% of employees were trained in GDPR, this figure has fallen to 75% in 2023. Meanwhile, a quarter of respondents do not train new employees on data protection as part of their induction.
Some respondents mentioned that employees are not always reminded to familiarise themselves with data protection, and there is also a lack of regular training. According to Juha Sallinen, CEO of GDPR Tech, practical action in organisations is often fragmented:
‘We have often seen a situation where an organisation has trained its staff in some way in 2018, but nothing has happened since. It is also common that GDPR and data protection training is available, but performance is not monitored.”
Figure 6: Is GDPR guidance part of the induction?
Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say
Figure 7: Do you have GDPR compliance training in place for your staff?
Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say
Finnish organisations are aware of GDPR consequences and sanctions
Respondents were asked if they were aware of possible sanctions for data protection violations, such as fines or processing bans. 100% were aware of what happens if the law is not adequately complied with. This compares to 93% in 2021. We suspect that the increase in awareness has also been influenced by the news of data breaches that appear in the media from time to time.
Some respondents felt that organisations are now taking GDPR more seriously, while others felt that there is still a lack of awareness.
Figure 8: Are you aware that there may be sanctions (fines or processing bans) for non-compliance with the GDPR? (Not applicable to public administration in Finland) – Yes answers
Confidence in the protection of personal data at organisational level is generally low
It is worrying that respondents have little confidence in the ability of organisations to protect their data. When asked if they were concerned about how their own data was being handled, just over 50% said they were not concerned. However, by 2021-2023, more than 40% of respondents said they were concerned about how their own data is handled. Clearly, more work is needed on data protection enforcement and risk management to improve trust in the way our data is handled.
Figure 9: Recently, there have been cases in the media where personal data have been leaked to criminals. Are you concerned about your personal data? – Yes answers
Website cookies and visitor tracking are not clear to everyone
The question ‘Are you aware that website cookies are used to track your behaviour and to target marketing of other products’ asked respondents about their awareness of website tracking technologies. The answers provide some worrying information. Despite granting cookies and tracking permissions, respondents are less aware of what is happening on the website and therefore less aware of how their data is being used.
This can be confusing. For example, in Finland the monitoring of website users is under the supervision and guidance of Traficom and not the Data Protection Ombudsman. Many people may have missed Traficom’s 2021 guidelines, and in Finland it appears that there will be no sanctions for cookie processing.
Figure 10: Did you know that website cookies track your behaviour?
Kyllä = Yes
Ei = No
En osaa sanoa = I can’t say
There is still room for improvement in data protection work
The responses over the three years suggest that many organisations have implemented GDPR activities as a project, but these activities have not been translated into day-to-day operations. Although the GDPR is still a relatively new regulation, user awareness of it continues to grow. Discussions and media coverage often focus on data protection legislation and how to communicate it more widely.
In Finland, the number of data breaches that have reached the media and the resulting sanctions has been relatively low compared to other European countries. Nevertheless, more and more consumers are concerned about their own data and expect organisations to act in accordance with the law, including the GDPR.
“For the first time, AI and the use of data also appear in respondents’ comments. The different views of respondents remind us of the challenges we see in projects and training. We have noticed misunderstandings about the topic, which is why some feel that GDPR ‘bans everything’. In organisations where policies are clearly defined and data protection is part of daily operations, benefits such as consistency and operational clarity have been achieved. Process efficiency and operational clarity have also been observed among respondents. The importance of trust is highlighted in several responses – transparency and accountability can improve customer trust in the organisation,” Sallinen concludes.
Further information:
Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech
040 5666 900
[email protected]