Data Protection Survey 2024: GDPR Is Already Part of Everyday Life, but Not Fully in Practice

The Finnish company GDPR Tech Oy has, in cooperation with its partner Tutkimusvoima (Raimo Pöllänen), conducted a survey on the current state of data protection since 2021. The study examines how the EU General Data Protection Regulation (GDPR) and the Finnish Data Protection Act have affected the operations of companies and organizations in Finland.

The research results provide unique and new insights into the GDPR and its impacts in Finland. The findings help analyze the current state and development of data protection in Finnish organizations. The survey content has remained the same since 2021 to ensure reliable tracking of developments.

Data protection work is carried out in organizations in accordance with GDPR, the EU’s General Data Protection Regulation, and is generally considered beneficial. However, exceptional situation drills are still carried out in only about one-third of organizations.

You can find more detailed information about the study and respondents here!

Key Statistics on Compliance with Data Protection in Finland in 2024

  • The majority of respondents feel that GDPR and the national Data Protection Act have increased trust in the processing of personal data. The figure has risen from 71% in 2021 to 88% in 2024 – a significant increase in trust.
  • Nearly four out of five respondents (78%) believe that GDPR benefits the organization. Open-text responses support this, for example, with observations related to information management.
  • Concern among respondents about their own personal data has grown from about 44% previously to 54%.
  • Still, only 60% of respondents believe that organizations take sufficient care of data protection.
  • Emergency and disaster drills have increased compared to previous years, and now about 39% of organizations have carried them out.

Trust in Data Protection Work Is Growing – Organizations Also See the Benefits

Nearly 90% of respondents in 2024 believe that GDPR and the national Data Protection Act have improved trust in data processing. The percentage has grown from 71.4% in 2021 to 88% in 2024 – a significant increase.

More than 78% of respondents feel that GDPR benefits the organization. This continues the trend that began in 2021: the initial perception that “GDPR prohibits everything” has changed. Now it is recognized that data protection work can also have positive effects. This is also well reflected in the responses – although some still consider GDPR harmful.

Survey Respondent
(GDPR) complicates things in every possible way. I would no longer want to deal with the consumer when you only fear that some loophole will remain open and you will be taken to court because of it.
Survey Respondent
(GDPR) benefits: data destruction, clarity of processes.
Survey Respondent
(GDPR) threats: of course, identity theft can be a problem, but the responsibility should lie with the seller, not the buyer. Identity theft should not be the threat – instead, creating the customer relationship should be so clear that there is no room for misuse.
Survey Respondent
(GDPR) opportunities: I suppose IT systems will gradually learn managed destruction. The end result may be a good process, but I am not entirely convinced of its benefits.

Image 1: Trust in data processing – yes responses

Image 2: Does GDPR benefit your organization – yes responses

GDPR Did Not Remain Solely the Responsibility of IT

According to the 2021 survey, responsibility for data protection work lay with different units, such as IT, finance, HR, and legal departments. In the 2024 responses, the share of finance has, somewhat surprisingly, decreased significantly.

Image 3: Which unit/units in your organization are responsible for data protection (GDPR)?

Risk management has improved at least for 2024. In 2023, however, there was a declining trend, with risks not being assessed. IT plays a significant role in practical data protection work – particularly in data security and technical safeguards – but risk management in organizations is generally not part of IT’s responsibilities.

The 2024 responses show a clear improvement in the management of risks related to personal data. Behind the responses may also be increased awareness of data breaches highlighted in the media.

Image 4: Has your organization assessed the risks related to personal data?

What is concerning are the answers to the question “Do you think your organization has taken sufficient care of data protection?” The share of “NO” answers has risen from 25.5% in 2023 to as much as 29% in 2024.

“In customer work, one still sees situations where the attitude is that data protection is not our responsibility. For example, a customer service manager refused to participate in a data protection impact assessment workshop led by the Data Protection Officer because ‘data protection does not belong to us.’ In that organization, training has been available, but not everyone has completed it – this is visible in practice.”

Juha Sallinen, CEO of GDPR Tech

Image 5: In your opinion, has your organization taken sufficient care of data protection?

Survey Respondent
There are clear frameworks for the retention of personal data.
Survey Respondent
Affects all activities involving the processing, confidentiality, retention, and disclosure of information linked to individuals.

One in Five Employees Is Not Trained in Data Protection

Of respondents, 80% report that new employees are given data protection guidance as part of onboarding. This means that one-fifth of respondent organizations do not train new employees on data protection during orientation. Some respondents reported that employees are not always remembered in this regard, and regular training is often entirely missing.

According to Juha Sallinen, CEO of GDPR Tech, practical measures in organizations are often fragmented:

“We have often noticed situations where an organization trained its staff in some way in 2018, but not since. It is also common that GDPR or data protection training is available, but completion is not monitored.”

Survey Respondent
Provide a good foundation for the processing of personal data
Survey Respondent
The obstacle and threat is that public sector work has been made more difficult, and mandatory supervision costs thousands per year. Public administration must verify its activities, which are often already statutory. But this verification costs money that goes into matters unbeneficial to operations. GDPR slows down and complicates public administration activities and costs money. It does not make our work easier or faster.

Image 6: Is GDPR guidance part of employee onboarding?

Image 7: Has your staff been trained to operate in compliance with GDPR?

Awareness of Sanctions Has Grown – Attitudes Toward GDPR Vary

The survey asked respondents whether they are aware of possible consequences of data protection violations, such as fines or bans on processing. All respondents (100%) stated that they are well aware of what happens if the law is not complied with adequately. In 2021, the corresponding share was about 93%. We assume that awareness has grown partly due to media coverage of data protection sanctions.

Respondents also commented on the topic from very different perspectives. Some felt that organizations now take GDPR issues more seriously than before, while others considered the level of awareness still insufficient.

Survey Respondent
Slows down and complicates things greatly, even though I consider it important. There is also a constant worry and fear about whether I have done something wrong.
Survey Respondent
Dozens of systems and thousands of employees. Turnover is high. Attention must be paid to managing the data of former employees.

Image 8: Awareness of consequences if the law is not complied with

Trust Is Missing – Data Protection Needs Concreteness

Based on the responses, the level of trust in organizations’ data protection practices is concerning. When asked whether they are worried about the processing of their own data, a majority (54%) said they were. The implementation of data protection and risk management clearly requires more work in order to strengthen trust in the processing of personal data.

Image 9: Are you concerned about your own data?

Cookies Track – but Few Know How

The question “Did you know that website cookies track your behavior and target marketing of other products as well?” measured respondents’ awareness of website tracking technologies – and the results are worrying. Despite all the cookie and tracking consents, respondents are still uncertain about what happens on websites and what is done with their data.

The uncertainty is likely increased by the fact that in Finland, user tracking on websites is supervised not by the Data Protection Ombudsman but by Traficom, whose guidelines on the subject were already published in 2021. These guidelines have likely gone unnoticed by many. In Finland, there still do not appear to be consequences or sanctions for the use of tracking technologies contrary to official guidelines.

Image 10: Did you know that website cookies track your behavior and target marketing for other products as well?

Survey respondent
GDPR largely defines to whom marketing messages can be sent and what must be taken into account in marketing automation. In addition, website privacy policies and cookie practices have had to be adjusted quite a lot because of GDPR.

Data Protection Work Requires Continuity – Projects Alone Are Not Enough

Based on responses over four years, it appears that in many organizations, data protection measures have been carried out as projects, but their integration into everyday operations has remained insufficient. Although GDPR is still a relatively young regulation, user awareness is clearly increasing.

Discussions and media often highlight data protection legislation and the need for related communication. An increasing number of consumers are concerned about their personal data and expect organizations to act lawfully with regard to GDPR as well.

The number of data breaches and sanctions that have reached the media in Finland is still very small compared to many other European countries. This is partly explained by Finland’s small population.

Respondents’ comments highlight concerns related to artificial intelligence, data use, and costs. The views are similar to those seen in projects and training. Misinterpretations of GDPR still exist, leading to perceptions of it as too restrictive. In organizations where data protection work has been integrated into everyday operations, clear benefits have been achieved, such as harmonization, clarification, and process efficiency.

“Trust is key – with transparency and accountability, customer trust in the company can be strengthened,” Sallinen concludes.

More information:

Juha Sallinen
Entrepreneur, Information Management and Technology Architect
GDPR Tech

040 5666 900
juha@gdprtech.com

What's new?

In the blog you will find current information, interesting articles and a lot of detailed information related to data protection.

Read these also

Share on social media

Request a quote for services

Contact us