Interviewed by Hanna Müller
Meet our Talent, Anna Maria Björklund, Nordic Data Protection Officer at Capgemini. In this interview she talks about why having strong data protection regulation is so important, what being responsible for driving cultural change around data protection means to her, and why she is admirative of Greta Thunberg.
You have been Nordic Data Protection Officer at Capgemini for two years after several roles in the legal field in Sweden. In parallel, you are a teacher at a Stockholm-based privacy academy. How would you describe your current role at Capgemini and why is it important?
I serve as the Data Protection Officer for all Capgemini’s activities in Sweden, Norway, Finland and Denmark, and advise and support management and business about the company’s activities in respect of personal data. I often act as the intermediary between different functions and business areas. I have daily interactions with the business in our various locations and with colleagues in the international data protection network. Interacting and cooperating with various stakeholders in my line of work is one of the best aspects of the role. I learn something new every day.
Capgemini is a value-driven company operating in the fields of consulting, digital transformation, technology, and engineering services. Data is at the Group’s core and data protection very high up on the corporate agenda. Capgemini is entrusted with valuable data from both our clients and our employees. This makes the role of the DPO meaningful and important.
What has been the greatest triumph of your career thus far?
Every time I have been able to ignite and drive cultural change around data protection in an organisation has been a triumph for me. Whether starting small, or with just a loose network of privacy lawyers; whether raising awareness at all levels of the organisation, or creating Group-wide implementation projects, new corporate processes, and entire new business roles or even departments. When people from right across your organisation start reaching out to you for advice early on in their business processes, you know you are on the right path.
To become GDPR [EU General Data Protection Regulation] compliant is about getting data protection into the DNA of the organisation and that starts with corporate culture. Compliance should not be a choice; it should come naturally.
Every time I have been able to ignite and
drive cultural change around data protection
in an organisation has been a triumph for me.
The EU General Data Protection Regulation (GDPR), which came into effect in 2018, regulates how companies protect EU citizens' personal data. For many on the internet, this Regulation remains a black box of legalese and obscure policy. Can you explain us why the GDPR is important and how it applies to EU citizens’ data?
This regulation is important because it is about your data. Every day your personal data is being collected, used, transferred, and possibly misused by different parties.
Your data is valuable and, if used incorrectly, it could potentially harm you. Knowledge about where your data is being processed and by whom and for what purpose puts you in the driver’s seat, and that is one of the goals of the GDPR. Further, data protection rules stem from the fundamental human right of integrity.
At the same time, the existence and interpretation of the data protection regulatory framework should not put a stopper on ethical innovation. Digital transformation is vital and should be for the benefit of all. The GDPR is also about creating a level playing field for parties that need to process personal data and is better adapted to the development of technology than the previous Data Protection Directive from 1995.
It has been argued that, in seeking to protect internet users, the EU has provided public officials with a tool to undermine press freedom. How can we ensure that data protection laws are used to protect rights, and not as a tool to silence or intimidate journalists and public interest reporters?
Freedom of expression and of information, is a fundamental human right, just as the right to privacy and to your integrity are. To pit those two rights against each other is not the way to go. The GDPR states that these rights should be balanced but doing this kind of balancing act is not an easy task. The GDPR also states that Member States should reconcile the right to the protection of personal data with the right to freedom of expression, including for journalistic purposes. If Member States have not yet achieved this, then they need to work on it.
I foresee the need for the EU to support and work with the EU Member States to ensure progress. The legal framework in Sweden, where I’m from, may not be perfect, but real effort and historical reasons have resulted in a coherent model with a constitutional right of expression.
Freedom of expression and of information,
is a fundamental human right, just as the right
to privacy and to your integrity are. To pit those two
rights against each other is not the way to go.
What are the most common mistakes or misperceptions you have seen when it comes to data privacy and security? And concretely, what can companies do to protect customer data, company secrets and internal communication from cyber-attacks every day?
The most common misconception I have come across is a lack of understanding that data protection laws in Europe have in scope all data that can directly or indirectly be used to identify an individual. Not everyone do understand why it is necessary to cover data that might, at a first glance, look basic and not particularly sensitive.
Data that could be used for one purpose by a certain party without risk for you may in the hands of another party, together with other data about you, be used to form a profile of you, your interests and opinions. Suddenly, the data is coherent, detailed and no longer unsensitive and basic.
When it comes to cybersecurity, we need to start with training, training and more training! Comprehensive and recurring training in information security and data privacy is absolutely fundamental.. Companies and organisations should understand that the chain is not stronger than the weakest link and ensure that the whole life cycle of data activity is protected. A very sophisticated and advanced security measure is of less value if the same data is transferred unprotected at a later stage.
Data that could be used for one purpose
by a certain party without risk for you may in
the hands of another party, together with other
data about you, be used to form a profile of you,
your interests and opinions.
Suddenly, the data is coherent, and no longer
unsensitive and basic.
We like to close our interviews with a question from the Proust questionnaire. The one we have chosen for you is: Which living person do you most admire?
I would like to name Greta Thunberg, a young, Swedish woman with incredible glow and seemingly relentless energy for her cause, who fights back against ridicule, harassment, and pure ignorance with references to facts and science. I would not agree with Greta on everything but.
but she has contributed to the struggle of getting the climate crisis on the top of the political agenda.
Video edited by Nadège Serrero