With the EU's General Data Protection Regulation (GDPR) coming into force on May 25, companies and organisations have been making frantic preparations for the new regime. By Friday, organisations will have to inform customers about why they are collecting their data, how it will be used and with whom it will be shared, among other things.
In Finland, at least, organisations run by foreigners are hard-pressed to find information on the new rules in English.
"There’s very little decent material about it online, and there’s some Finnish material which is not really good. When it comes to English, we have to focus on material from the US or UK, which is not really good for small organisations who don't handle bank data or credit card numbers,” says Julie Breton of Moniheli, an umbrella organisation representing more than 100 multicultural associations in Finland.
The data framework aims to give the bloc’s citizens more control over their data and better reflect today’s digital reality. GDPR supersedes non-binding EU guidelines issued in 1995, a time of dial-up modems and floppy disks. Twenty years ago personal data was not the huge money-generating commodity it is today. Now people regularly volunteer personal information on social networks but do not necessarily understand it may be passed on to third parties -- and often for profit.
"GDPR is interesting from the perspective of managing data leaks and how hacks are managed," computer security expert Mikko Hyppönen told Yle News, alluding to how companies operating in the EU will have to notify their customers within 72 hours of a data breach.
Major compliance challenges
In the aftermath of scandals over Facebook and Cambridge Analytica data misuse, GDPR empowers private individuals to know more about the personal information service providers have on them. The new data protection regime also gives users the right to opt out or 'be forgotten.' With data privacy imperatives now a legal requirement, smaller firms also have to comply to remain on the right side of the law.
"Most of the small volunteer organisations that we work with don’t know what GDPR is about and they also don’t have the resources to allocate to solving the issue," Breton explains. These NGOs are not alone in their bewilderment. A study last month by analytics company SAS found that 93 percent of global companies are not yet fully GDPR compliant.
Breton says she reached out to the Data Protection Ombudsman’s office in Helsinki a few weeks ago requesting information in English or simple Finnish, but has not heard back.
While Friday's date marks the end of a two-year grace period granted to EU states to get national legislation in order and for companies to do the same, Minna Aalto-Setälä, legal counsel at the Finland Chamber of Commerce, says companies will start complying once the legislation comes into effect.
"The smaller companies aren't there yet but they are working towards it," adds Aalto-Setälä, whose chamber of commerce network represents some 20,000 businesses in Finland.
That said, small and medium-sized businesses make up 95 percent of the Finnish corporate landscape.
"There's lots of questions and not a lot of answers at this point,” says Breton, referring to the rules that Brussels envisions will stem unauthorised data brokering, the buying and selling of personal information, in the tech industry.
Too little, too late?
Jason Levine, who offers GDPR compliance services, echoes Breton’s criticism on the lack of information on the regulation available in English in Finland.
"I think one of the significant problems is that most companies don’t understand how GDPR is applicable to them. GDPR is quite daunting--especially for small and mid-sized companies--and they often don’t know where to begin,” he told Yle News.
It’s a good time for law firms specialising in data protection. But even leading Helsinki business law firm HPP Attorneys Ltd only offers GDPR training in Finnish.
Non-compliance comes at a cost, however. Penalties can run from two to four percent of turnover or up to 20 million euros.
Levine points out that GDPR puts the onus on companies to demonstrate compliance.
"It’s sort of a guilty until proven innocent system," Levine says.
Meanwhile Breton of Moniheli is just getting started:
"We are not really at an implementation phase, we are trying to figure out what’s going on. Is an event participant's dietary preference personal information that should be deleted?" she asks.
The EU’S official GDPR portal offers general information in English, including a rundown of frequently asked questions.
Yle News contacted Finland's Data Protection Ombudsman Reijo Aarnio numerous times but was unable to reach him.