Iiris Kivikari

Senior Associate

Iiris Kivikari

Senior Associate

Share this

Dittmar & Indrenius > People > Iiris Kivikari

Focus on legal development of innovative technologies and businesses, and the strategic restructuration of data processing activities.

Iiris Kivikari is known for a dynamic and insightful approach to data protection. She advises large listed corporations and global brands.

She is a trusted lecturer for leading Finnish commercial training providers. She also teaches a course on data protection and contract law at the University of Helsinki’s Faculty of Law.

Prior to joining Dittmar & Indrenius, she gained expertise working at the Office of the Data Protection Ombudsman.

Education

University of Helsinki (LL.M., 2013)

CIPP/E 2018

Admitted to the Finnish Bar Association.

Languages

Finnish, Swedish and English

References

Latest Insights

insight
The Risky Matter of Data Protection
4 Dec 2017 With 6 months to go until the GDPR steps in, it is time to shift your focus from general risk mitigation to risk prioritization. Know Your Endgame Identifying, assessing, prioritizing and mitigating data protection risks. That is what GDPR readiness work is all about. However, with so little time left and so much to get done, it is easy to skip straight to mitigating the risk of administrative sanctions. While this course of actions is certainly necessary, it has two major flaws. What Risks Can You Live With? 1 Flaw #1: Your ultimate GDPR risk level is determined not by the risks you have taken care of but by those you have yet to tackle. Despite all your hard work, it is highly unlikely that your company can be fully GDPR compliant by 25 May 2018. This leads to the question: what risks can you live with? In order to answer that you have to know what risks you are up against. 2 And so we get to flaw #2: Administrative sanctions may not even be your biggest risk. Think: interruptions to your service, corruption of data, decline in customer trust, inflexible services… these issues may initially appear small but can, in practice, cause large damages to both you and your clients. Prioritize This leads us at D&I to believe that instead of mitigating every risk you come across and hoping you have time to fix them all, the key to GDPR success lies in prioritizing your work. Here are a few of the points we tend to focus on: Key Insights Risk: Sanctions or client distrust due to insufficient proof of data protection work Solution: Accountability check list – The GDPR summarized in one word: "accountability". Ensure that you have a clear and thorough step plan on how to get your documents and processes in order so that when your clients or the regulatory authority come knocking on your door you have something to show for your work. Risk: Damages due to service provider actions or omissions Solution: Processor management controls – With service providers playing such a key role in the processing of your data, keeping them in check is a top priority. To do that you need data processing terms, processor selection criteria, and audit processes – just to name a few. Risk: Damages caused by human error Solution: Awareness training and allocation of responsibilities – Not everyone has to be a data protection expert, but everyone needs to know (a) when to ask questions, (b) and whom to turn to.
insight
Data Breach: Ready, Set … React
3 Nov 2015 The Ashley Madison hacking has thrown data security right in the limelight. In the aftershock of events, companies are realizing that it could be them next. A quick reaction can ultimately alter your company's ability to control the media's post data breach field day and resulting bad will. In practice, this requires prior planning and efficient execution. In Finland, express data security provisions set a very loosely knit web of obligations for companies. As a result, too many companies have left data security completely to "the IT guys". Every employee counts – data security is not just the "IT guy's" thing However, data security goes beyond the IT department. Without the combination of both technical and administrational data security, the safety of your company's data is as good as your company's most careless employee. So what is "administrational data security"? Administrational data security is all about preventing human and technical errors through planning, instructing and monitoring employees, and reacting to all occurring data security issues efficiently. Data security can never be air tight so are you ready to react to a data breach? However, at the end of the day, the reality is that data security can never be airtight. Therefore, it's good to remember that what is not there, cannot be taken. Solution: store only what you really need. 5 tips to get your company started: Audit. Periodically identify your company's main data security risks, legal obligations (e.g. obligations to inform regulatory authorities of data breaches) and your staff's ability to react to a data breach; Appoint. Put someone in charge of preventive data security planning, monitoring and reacting to suspected and confirmed data breaches; Bind others. Take a look at your contracts and ensure that all third party vendors acting on your behalf are (i) held to the same standards as your own employees, (ii) obliged to inform you of suspected and confirmed data security breaches, and (iii) are not allowed to inform others of such breaches without your express prior consent; Instruct. Put a Data Security Policy in place and bind your employees to it through each employee's employment contract; and Monitor. Plan and execute monitoring activities. When doing so, keep in mind that Finnish legislation sets out exceptionally severe restrictions regarding employee monitoring.

Share this

Dittmar & Indrenius