Provide training and assess the implementation of data protection

You can ensure sufficient data protection training when each party processing personal data is aware of the requirements that apply to them. This requires identifying the need for training and making enough training courses available.
You should take at least the following aspects into consideration when planning training:

1. Persons processing special category data need more in-depth training than those who do not handle special categories of personal data.
2. Those who make decisions on the processing of personal data and are responsible for it need different training than those who are part of individual processes of personal data processing.

Providing adequate and up-to-date training is important for managing data protection risks. From the perspective of organisational risks, it is essential that the training needs and completed training courses are documented so that the organisation can demonstrate how the training has been provided, if necessary.

The Digital and Population Data Services Agency maintains services for public administration.

• Digiturvan kokonaiskuvapalvelu (in Finnish)Opens in a new window.
• Digiturvan riskienhallintieto-palvelu (in Finnish)Opens in a new window.

A number of self-monitoring tools have been published in the VAHTI good practices.Opens in a new window. There are also commercial services that measure the level of data protection.

Well-managed data protection can be a competitive advantage for some organisations. Other possibilities include

• positive customer feedback
• increased customer and stakeholder trust
• positive publicity and development of the public image.

Data protection issues may

• cause problems in developing operations and services
• cause problems in procurement
• increase operating costs
• lead to intervention by supervisory authorities
• lead to the realisation of the criminal liability of management and personnel
• endanger the legal protection of employees, specialists, management and stakeholders.

Failure to regularly review data protection processes can cause problems for data subjects, organisations, organisation management and staff alike. Possible consequences for the organisation may be

1. administrative sanctions
2. intervention by supervisory authorities regarding the processing of personal data, such as by limiting or prohibiting certain processing activities or all processing.
   Limiting or prohibiting processing activities can cause major problems for the organisation’s operation.
   

Even just an order by supervisory authorities to bring the processing of personal data to a level that meets the legal requirements may be costly, slow and sometimes even impossible for the organisation if compliance is only carried out after the start of the processing of personal data.

Poorly managed data protection also risks the organisation’s public image. Regaining reputation and customer trust that were lost due to data protection issues can be challenging or, at worst, impossible. Sometimes poorly implemented data protection can even lead to the termination of a business.

Data security deviations affecting personal data have become more common in the 2010s and 2020s. Even if the actors could otherwise cope with their consequences, bad publicity causes reputational damage. After information security deviations, it may be challenging to restore customers’ trust and convince them of the adequacy of information security practices.