Security Expert Interview Series: Mirell Metspalu

In this interview, we explore Mirell Metspalu’s journey within the data protection world and how her unique background prepared her for success in this field. Mirell is a Senior Privacy Analyst based in London, and she is specialized in data protection and information security compliance. She also shared with us what we can integrate into our daily tech habits to better protect our privacy.

privacy analyst interview


1. Firstly, thank you for taking part in this campaign. Can you give us an introduction about yourself, Mirell? How did you venture into the data protection world?

Thank you for the invitation, I appreciate it. I’m currently working as a senior privacy analyst at F5 Networks.

My privacy journey started while studying for my master’s degree. The program focused on how different types of technology should and could be regulated and data protection sparked my interest. I have had the opportunity to get exposure from different domains within privacy as I have carried out legal research for the European Commission and worked for a Big 4 as an auditor assessing data protection and information security frameworks and controls designed by other people. For the last couple of years, I have worked for companies implementing and managing policies and processes. 


2. What is anything you wish you knew when you first went into a career in data protection?

When I started out in privacy, I was very strict in my approach to data protection and perhaps did not realize how important it is to consider and understand the entire organizational structure. Furthermore, how essential it is to ask yourself what the overall value is of what you do and to whom. We should have more empathy towards the user, whether they are an external customer or an internal stakeholder.  If you design a product you should not just keep in mind privacy by design principles but also try to anticipate what the user expects from you and how the technology may be utilized in the future. 

We see a lot of firefighting and time spent on solving and managing the symptoms of products and processes that were not built with privacy in mind – sometimes collecting excessive amounts of data, using dark patterns and manipulative designs, accompanied with poor access management and so on. Thus, the aim should be to design and create products by incorporating privacy at an early stage. Privacy is not something you attempt to sprinkle on a product two days before launch. 


3. How has your unique background prepared you for success in this field?

By education, I have a legal background. What has helped and supported me a lot though is the exposure and experience I have gained in information security. Data protection and security are intertwined – you cannot have one without the other. We cannot talk about protecting data without the appropriate security controls in place


4. Considering the massive increase in cyberattacks, what do you believe will be the key trends likely to emerge in data protection over the next 3 years?

The developments and increasing use of AI and machine learning will be one of the big topics. Cybercrime is a business, and growing a business is all about scale and efficiency. AI and automation can be used to do good or evil. Organizations can protect themselves from automated attacks that can result in data breaches by investing in automated defense. There is a lot going on from a regulatory perspective as well. The European Commission has published a draft regulation governing the use of artificial intelligence and this will definitely have some impact on the industry and hopefully, also a positive impact on users’ privacy once enforced. 

Due to Covid-19, we have seen an increase in remote working and this can increase vulnerabilities and risks. This means that organizations need to assess their current security infrastructure for areas of weaknesses. More companies migrate to the cloud and see increased attacks that may end up resulting in a data breach.

security expert interview series


5. What can we integrate into our daily tech habits in order to better protect our privacy?

We often do not acknowledge how valuable our personal data is and we are too hasty and careless in giving it away. Thus, we should be more mindful regarding what information we share and with whom. 

Checking and configuring your privacy settings should become a habit whether it’s your cell phone or web browser. The usage of ad blockers and configuring cookie settings is also very beneficial.

I would also like to remind everyone that using public wifi has its risks and should not be encouraged especially when you carry out data-sensitive transactions.


6. Are there any resources you use to keep updated on technology and data protection, and can recommend?

I do follow the more common resources like iapp.org and edpb.europa.eu but perhaps the less conventional resource for me is following social media. I think Twitter is a great platform that can make it easy to learn about newly published guidelines, data breaches, promising new tools, and must-read articles along with insightful opinions and discussions among brilliant professionals and experts in the field.


7. What advice would you give to women looking to break into the field of data protection?

Women should be empowered to do whatever they wish to do as a society still struggles with gender bias. Working in tech and in the field of privacy means often that you will collaborate with heavily male-dominated teams and unfortunately sometimes you need to prove yourself as an equal counterpart. I think at the end of the day we should remind ourselves that we are the experts in our own area and our colleagues are experts in theirs. The launch of a successful project and product requires collaboration and also mutual respect from both sides.

I do encourage women to move to the field of data protection and security. There are so many opportunities for growth and the work you do can be very fulfilling as I’ve experienced first-hand.