Over the past year, Niemikoti Foundation has made a determined leap forward in developing its data protection practices. The starting point was clear: in an external assessment, the level of data protection scored just 14 points. Today, that figure has already risen to 75.
Niina Sahlberg, who has served as the Data Protection Officer, describes the initial situation simply: there was a lot of room for improvement. Once the results showing 14 points were received, the work began in a systematic and step-by-step manner.
First observation: documentation was missing
At an early stage, one major development need became apparent: a lack of documentation.
“A huge amount of documentation was missing,” Niina says.
A large part of data protection work is “invisible” — background work involving the creation of structures, guidelines, and documents. However, Niina emphasizes that paperwork alone is not enough.
“Another major theme was staff training. If people don’t know what data protection is and how it should be implemented, documentation is secondary.”
A new data protection manual and systematic work
One of the most significant concrete steps has been the creation of a data protection manual. The manual has been written and published for everyone to access — and also to be “tested” on.
At the same time, a clear structure has been introduced into data protection work:
- annual planning
- annual reporting
- continuous development of practices
In addition, preparation for joining the Kanta services, for example, has required the creation and maintenance of an information security policy.
“Documentation provides guidance. Now functional structures have been created as a foundation, which are easy to further develop and implement going forward.”
The change is visible as a shift in mindset
According to Niina, the change has not primarily been a system change, but above all a change in operating culture.
“We’re using the same systems as before, but the structures and operating practices for using them have been carefully thought through and written down.”
In instructors’ day-to-day work, the change is particularly evident in more active consideration of data protection issues.
“People genuinely think about where information can be stored and where it can be shared or disclosed. And for example, temporary client data: you can’t store a statement just anywhere if it contains personal data. The goal is that information about service users stays in Domacare.”
Rush and email are the most common risk areas
When data protection is at risk of being overlooked, the reasons are often very ordinary.
“Everyday rush. And email is very typical: is it encrypted, how should it be handled — can’t you just send it?”
Niina’s summary for staff is clear:
- Service users’ personal data belongs primarily in Domacare
- Personal data must not be sent in regular email in any form
- Matters concerning service users must not be discussed where outsiders can hear
“Everything had to be learned alongside the work”
The role of Data Protection Officer has also required a great deal of learning.
“My own starting level wasn’t great. Probably close to that 14 myself,” Niina says.
The most challenging part was finding confidence in her own work while simultaneously learning and training others.
“Situations come up quickly, and sometimes it takes a moment to think things through and resolve them so that you can give a sensible, well-justified answer.”
External audits and monitoring support development
The level of data protection is monitored in several ways. External audits, in particular, serve as a key indicator of the overall situation. In addition, monitoring includes reported data breaches and various annual metrics.
Information is compiled annually into a document that also includes observations related to information security, such as potential phishing attempts. These matters are discussed within the data protection team, and the whole is compiled into a “data protection report.”
75 is already a high level – and maintenance is what matters most
In theory, a perfect score of 100 points would be the best possible result, but in practice it is not a realistic goal.
“A hundred is the best, but apparently impossible to achieve,” Niina notes.
According to Niina, 75 is already a high level for an organization like Niemikotisäätiö — a “B+.”
“As long as we can maintain this level or improve it slightly, we’re quite satisfied.”
Tips for a successful change
If Niina were to give one piece of advice on developing data protection or systems, it would relate to everyday discussion and keeping the work close to daily practice.
“You have to talk about it repeatedly and keep it visible. Otherwise, it sinks.”
Another key factor is a motivated development team and support persons.
“Development needs to happen close to the unit. If it only comes from the top, it easily stays at that level.”
