Lets start with that I adore data and the Internet but I also believe in privacy being a fundamental human right. I don’t see privacy as a hindrance to business but a way to run your data business with respect to your clients, partners, investors, shareholders, employees, management. Out of respect good things are born.
I have worked with data from different angles all my career in Estonia as well as in the UK. Currently my company acts as a a data protection officer (DPO) for several companies. We conduct data protection and information security audits and give advice.
Data and privacy protection OÜ is the official training partner of IAPP (International Association of Privacy Professionals) in Estonia, Latvia and Lithuania. We teach the CIPP/E, CIPM, CIPT certification preparation and Privacy Foundations courses. In addition I also hold a ISO27001 lead auditor certificate.
I am a proud to be a member of the board of Estonian Data Protection Association that unites data protection practitioners in Estonia.
At Maili DPPM what makes us strong is an excellent network of partners, clients and former clients.
Maili DPPM's DPO service provides highly qualified data protection professionals with data protection (CIPP/E, CIPM) and information security auditor (ISO27001 lead auditor) certificates. The DPO's are multilingual and speak Estonian, English and Russian and have experience with the Baltic and Nordic data protection markets.
The GDPR audit helps companies to determine what organisational and technological data protection measures have been applied and if these measures work as required. The audit identifies and assesses risks and recommends risk mitigation measures in the report. Maili DPPM can conduct audits in Estonian and English.
Sometimes all is needed is a little advice to get clarity if action planned is the right kind of action. If you are looking for answers to questions such as: am I processing personal data, what data is it, where is it located, am I a processor or controller, am I forwarding personal data outside Europe, is it lawful, what are cookies, do I need consent to privacy policy, then we have answers to these and other questions you may have.
We provide two day CIPP/E and CIPM certification training in English,. CIPP/E is certified privacy professional, Europe and CIPM is a certificate for privacy programme managers, both certificates are ANSI accredited and issued by IAPP. In addition we train data protection professionals in Estonian in one day course. We also provide corporate data protection trainings on request in either English, Estonian or Russian.
Lack of attention to information security is one of the main sources of hidden risks in a company, because should the risk realise there are no risk mitigation measures in place and potential material or intellectual property damages could end up costing a company dearly. Maili DPPM's information security audit model is built based on ISO27001 information security standard and gives an independent and professional rating on information security level in a company.
Information security advisory. Based on audit we create all the relevant documentation. When required we also assess the effectiveness of information security work procedures.
GDPR requires certain companies to appoint a Data Protection Officer (DPO), read in our blog which companies need to appoint a DPO.
The DPO can be a company’s or organisation’s employee but a company can also appoint an external service provider as a DPO. Service provider is highly qualified professional who focuses full time on data protection and helps to ensure high standards of data protection in all companies or organisations.
In Maili Data and Privacy Protection Management (Maili DPPM) the DPOS are fully qualified and highly regarded experts holding data protection (CIPP/E, CIPM) and information security auditor (ISO27001 lead auditor) certificates.
Maili DPPM DPO is a good choice also for an international and multilingual company as the DPO speaks Estonian, English and Russian and is familiar with data protection peculiarities in the Baltic and Nordic countries.
The size of DPO service’s fixed monthly fee depends on company’s data protection complexity and particular requirements of a company, but it is still more reasonable than hiring an employee with similar expert knowledge.
The DPO-s tasks in a company or organisation:
Depending on the the external DPO will come to the customer’s offices for the agreed hours, to ensure that the DPO is a part of the team in the company. If the customer is located outside of Estonia, regular meetings with the company, at least one a month, will be conducted over the internet.
The GDPR audit helps the companies and institutions to determine what organisational and technological data protection measures have they applied and are these measures working as intended.
The audit is based on structured interviews with relevant employees and review of relevant documentation. If needed, an on site inspection is also conducted.
The observations in the audit report if data protection measure has been applied, partially applied or not applied and if the associated risk is high, average or low. The report also gives risk mitigation recommendations.
Sometimes all is needed is a little advice to get clarity if action taken is the right kind of action. If you are looking for answers to questions such as: am I processing personal data, what data is it, where is it located, am I a processor or controller, am I forwarding personal data outside Europe, is it lawful, what are cookies, do I need consent to privacy policy, then we have answers to these and other questions you may have.
We can help you with:
Data mapping and data flow visualisation
Map personal data processing. The mapping is done with the help of structured questionnaire, document and application analysis and review. On request create data flow charts.
Records of processing activities (ROPA)
A company that decides why and how personal data is processed is a controller and as such is required by the GDPR to maintain a record of their personal data processing activities. We will help you put together a ROPA.
Documentation
According to the GDPR companies and institutions must apply sufficient organisational and technological data protection measures. We can help to create documentation and procedures compliant with the GDPR security requirements.
Data protection impact assessment (DPIA)
DPIA must be conducted where a personal data processing is likely to result in a high risk to the fundamental rights and freedoms of natural persons. We will help to determine what is high risk and conduct the DPIA.
From the enterprise risk management perspective we recommend conducting a DPIA every time when you deploy a new application (HR software), technology (fingerprint locking system) or when you switch server housing service provider
Please leave your name and e-mail as we will respond to by e-mail.
A one day course especially useful in a company wishing to introduce a common vocabulary to their privacy and data protection teams helping to communicate privacy issues clearly between professionals and throughout organisations.
Foundations’ expert-authored curriculum details privacy’s legal and regulatory frameworks. It describes common operational processes and illustrates privacy at work through case studies and real-world examples.
Show the world you know data privacy laws and regulations and how to apply them. Demonstrate your mastery of jurisdictional laws, regulations and enforcement models, plus legal requirements for handling and transferring data.
This training is an opportunity to learn about critical privacy concepts that are also integral to the CIPP/E exam. While not purely a ‘test prep’ course, this training is appropriate for professionals who plan to certify, as well for those who want to deepen their data protection knowledge. Both the training and the exam are based on the same body of knowledge.
Make data privacy regulations work for your organization by understanding how to implement them in day-to-day operations. Learn to create a company vision, structure a data protection team, develop and implement system frameworks, communicate to stakeholders, measure performance and more.
Lack of attention to information security is one of the main sources of hidden risks in a company, because should the risk realise there are no risk mitigation measures in place and potential material or intellectual property damages could end up costing a company dearly.
Our information security audit model is built based on ISO27001 information security standard. During the audit we assess if the information security measures are appropriate and sufficient and recommend risk mitigation measures based on audit findings.
Audit gives an independent and professional rating on information security level in a company.
Audit report gives concise and easy to understand review of how well the information security measures protect company’s assets and infrastructure to a company’s board and management or if needed to investors, partners or shareholders.
Depending on company’s exact requirements, we conduct information security audits also with partners that can assess any specific information security topic required.We conduct a structured interview with relevant employee, test on site and review applicable documentation.
Based on audit we create the required cybersecurity documentation in the company..
When required we also assess the effectiveness of information security work procedures and make recommendations how to improve them.
With our partners we can provide more technical information security advice or help you understand if your development procedures and teams are working as well as they should.
On the second week of January 2022, Austrian Data Protection regulator made a decision that use of Google Analytics violates the EU General Data Protection Regulation 2016/679. Which means that the companies with websites based in the EU and directed at EU data subjects cannot use Google Analytics on their websites. As European Data Protection…
Court of Justice of the EU (CJEU) decision in case C‑184/20 said that inferred special categories of data is indeed special categories of data as defined in the article 9 of the GDPR. The court case was brought forward by Lithuanian Commission of Ethics and is based on Lithuanian legislation that requires that people in…
Let’s start with what is a privacy policy why is it necessary for your company to have one. Privacy policy is an opportunity for your company to inform your clients, partners and employees about how you manage their personal data. At the same time you are also complying with the GDPR requirement to provide…
Before you ask “isn’t there a better name for internet cookies”, no there isn’t, this is how they are known. A cookie is a small piece of data or message that is sent from an organisation’s web server to your web browser and is then stored on your hard drive. Cookies can’t read data off…
Who is a DPO? DPO is a professional with specialist knowledge of data and privacy protection, whose task in an organisation is to ensure that organisational and technological data protection measures are established in an organisation and who also monitors if these measures are effective. What does DPO do? In addition to implementing and monitoring…
