On the second week of January 2022, Austrian Data Protection regulator made a decision that use of Google Analytics violates the EU General Data Protection Regulation 2016/679. Which means that the companies with websites based in the EU and directed at EU data subjects cannot use Google Analytics on their websites. As European Data Protection…
Welcome to Maili Data and Privacy Protection management (DPPM)
Lets start with that I adore data and internet but I also believe in privacy being a fundamental human right. I don’t see privacy as a hindrance to business but a way to run your data business with respect to your clients, partners, investors, shareholders, employees, management. Out of respect good things are born.
I have worked with data from different angles all my career in Estonia as well as in the UK. Currently I act as a a data protection officer for several companies, conduct data protection and information security audits and give advice. I hold the IAPP’s CIPP/E and CIPM certificates and also teach certification preparation courses. I also hold a ISO27001 lead auditor certificate.
I am a proud to be a member of the board of Estonian Data Protection Association, uniting data protection practitioners in Estonia.
At Maili DPPM what makes us strong is an excellent network of partners, clients and former clients.
What we are good at
GDPR requires certain companies to appoint a Data Protection Officer (DPO), read in our blog which companies need to appoint a DPO.
The DPO can be a company’s or organisation’s employee but a company can also appoint an external service provider as a DPO. Service provider is highly qualified professional who focuses full time on data protection and helps to ensure high standards of data protection in all companies or organisations.
In Maili Data and Privacy Protection Management (Maili DPPM) the DPOS are fully qualified and highly regarded experts holding data protection (CIPP/E, CIPM) and information security auditor (ISO27001 lead auditor) certificates.
Maili DPPM DPO is a good choice also for an international and multilingual company as the DPO speaks Estonian, English and Russian and is familiar with data protection peculiarities in the Baltic and Nordic countries.
The size of DPO service’s fixed monthly fee depends on company’s data protection complexity and particular requirements of a company, but it is still more reasonable than hiring an employee with similar expert knowledge.
The DPO-s tasks in a company or organisation:
- If needed, maps data processing and puts together a record of processing activities (ROPA).
- Maintains and updates the ROPA.
- When needed DPO will advise applying adequate technological measures for data protection.
- Conducts Data Protection Impact Assessments (DPIA) as and when needed, recommends appropriate actions to mitigate the risks and monitors the process of risk mitigation.
- Provides data protection trainings to company employees.
- Conducts ad hoc compliance checks to see if applied organisational and technological measures are working.
- Responds to data subjects, company’s employees and clients, queries about personal data processing and ensures that data subjects rights (correction, restriction, deletion and data portability) are met;
- DPO also responds to data protection regulator’s queries and cooperates with the regulator if needed.
- The employees of a company will be sent the name and contact details of the external DPO.
Depending on the the external DPO will come to the customer’s offices for the agreed hours, to ensure that the DPO is a part of the team in the company. If the customer is located outside of Estonia, regular meetings with the company, at least one a month, will be conducted over the internet.
The GDPR audit helps the companies and institutions to determine what organisational and technological data protection measures have they applied and are these measures working as intended.
The audit is based on structured interviews with relevant employees and review of relevant documentation. If needed, an on site inspection is also conducted.
The observations in the audit report if data protection measure has been applied, partially applied or not applied and if the associated risk is high, average or low. The report also gives risk mitigation recommendations.
Data protection advisory
We can help you with:
Data mapping and data flow visualisation
Map personal data processing. The mapping is done with the help of structured questionnaire, document and application analysis and review. On request create data flow charts.
Records of processing activities (ROPA)
A company that decides why and how personal data is processed is a controller and as such is required by the GDPR to maintain a record of their personal data processing activities. We will help you put together a ROPA.
According to the GDPR companies and institutions must apply sufficient organisational and technological data protection measures. We can help to create documentation and procedures compliant with the GDPR security requirements.
Data protection impact assessment (DPIA)
DPIA must be conducted where a personal data processing is likely to result in a high risk to the fundamental rights and freedoms of natural persons. We will help to determine what is high risk and conduct the DPIA.
From the enterprise risk management perspective we recommend conducting a DPIA every time when you deploy a new application (HR software), technology (fingerprint locking system) or when you switch server housing service provider
Got a question? Ask.
Please leave your name and e-mail as we will respond to by e-mail.
Head of Legal
Data privacy involves the use and governance of personal data, typically through policies and programs. It ensures consumers’ personal information is collected, shared and used in appropriate ways. Only the IAPP offers information privacy certification programs such as CIPPE/E, CIPM and CIPT specifically designed for professionals who manage, handle and access data, and recognized and respected by employers the world over.
Clicking on the course title opens the description on IAPP’s website.
Maili DPPM is the Official Training Partner of IAPP (International Association of Privacy Professionals)
Practicing Privacy – Understanding Laws and Concepts
Show the world you know data privacy laws and regulations and how to apply them. Demonstrate your mastery of jurisdictional laws, regulations and enforcement models, plus legal requirements for handling and transferring data.
This training is an opportunity to learn about critical privacy concepts that are also integral to the CIPP/E exam. While not purely a ‘test prep’ course, this training is appropriate for professionals who plan to certify, as well for those who want to deepen their data protection knowledge. Both the training and the exam are based on the same body of knowledge.
Operationalizing Privacy – Turning Policies into Programs
Make data privacy regulations work for your organization by understanding how to implement them in day-to-day operations. Learn to create a company vision, structure a data protection team, develop and implement system frameworks, communicate to stakeholders, measure performance and more.
Applying Privacy – Turning Programs into Technology
Trainings are in person in Tallinn, Estonia, Riga, Latvia or Vilnius, Lithuania and live virtual from anywhere.
The courses are two full days from 09.00 to 17.00. The price for the full package for all the courses is 1500EUR. The full package includes study materials, digital textbook, sample exam questions, IAPP’s 12 month membership and exam voucher valid for 12 months. Exam can be done online or at an examination center.
Discounts are available for groups over 3 people and to learners signing up to two course bundles.
If you wish to organise a training for your employees please enquire about pricing and availability through the contact form below.
Choose a course and register below!
FOR A TRAINING
Information security audit
Lack of attention to information security is one of the main sources of hidden risks in a company, because should the risk realise there are no risk mitigation measures in place and potential material or intellectual property damages could end up costing a company dearly.
Our information security audit model is built based on ISO27001 information security standard. During the audit we assess if the information security measures are appropriate and sufficient and recommend risk mitigation measures based on audit findings.
Audit gives an independent and professional rating on information security level in a company.
Audit report gives concise and easy to understand review of how well the information security measures protect company’s assets and infrastructure to a company’s board and management or if needed to investors, partners or shareholders.
Depending on company’s exact requirements, we conduct information security audits also with partners that can assess any specific information security topic required.We conduct a structured interview with relevant employee, test on site and review applicable documentation.
Information security advisory
Based on audit we create the required cybersecurity documentation in the company..
When required we also assess the effectiveness of information security work procedures and make recommendations how to improve them.
With our partners we can provide more technical information security advice or help you understand if your development procedures and teams are working as well as they should.
Get in touch! Let's discuss how we can help.
What is happening in Data and privacy protection
Court of Justice of the EU (CJEU) decision in case C‑184/20 said that inferred special categories of data is indeed special categories of data as defined in the article 9 of the GDPR. The court case was brought forward by Lithuanian Commission of Ethics and is based on Lithuanian legislation that requires that people in…
Before you ask “isn’t there a better name for internet cookies”, no there isn’t, this is how they are known. A cookie is a small piece of data or message that is sent from an organisation’s web server to your web browser and is then stored on your hard drive. Cookies can’t read data off…
Who is a DPO? DPO is a professional with specialist knowledge of data and privacy protection, whose task in an organisation is to ensure that organisational and technological data protection measures are established in an organisation and who also monitors if these measures are effective. What does DPO do? In addition to implementing and monitoring…
We would love to hear from you!
Any questions or business offers? Talk to us!
+372 5341 2416