The data protection field is a new area in which a lot is happening and Kristin Asgermyr believes she can be involved and contribute.
– I want to be engaged and create a risk-based model for the management of data protection matters at Lund University. I feel that I am experienced and sufficiently senior to define our position. We need to work together with an aim to strengthen our observance of regulations step by step, she says.
One of the University’s challenges in the data protection area is to manage the considerable spread of our IT environments. Another is that the observance of data protection regulations is dependent on how the framework for information security works – an area that is under construction. Kristin will cooperate with the University’s new Information Security Coordinator, Ingegerd Wirehed.
– Ultimately, it concerns processing personal data in a responsible way. Our common goal is to maintain our high level of credibility among financiers, people who choose to take part in research studies, employees, students and other interested parties, says Kristin Asgermyr.
She states that the Data Protection Authority can decide to impose fines of up to SEK 10 million in the case of serious violations.
– We are not to think that we can fly under the radar. Several public authorities have already been audited regarding data protection and information security matters. And I believe the damage to the University’s standing would be at least as serious as any resulting costs.
The Data Protection Officer, also called DPO, is an independent role and Kristin has both a support and follow-up function. She will report regularly to the University Director, Susanne Kristensson.
– My role in the follow-ups will be something like internal audits. I will conduct interviews, request reports and carry out spot checks here and there. The role is to be independent, which means that the DPO cannot be too mixed up in things. I will be involved in education, provide interpretations on matters of principle, create templates and so on.
She considers the highest priority to be the processing of sensitive personal data and creating easily accessible information and templates. A project lasting several years was conducted with the aim of adapting the organisation to the new General Data Protection Regulation (GDPR), which entered into force in May last year. Kristin now intends to continue the work that has already started.
A risk analysis will be carried out every autumn in which Kristin will examine the risks that exist in the organisation and the measures that can be taken to reduce the risks. Kristin Asgermyr is also available to answer questions sent to datasyddsombud [at] lu [dot] se. At present, around 20 questions are received each week.
In the autumn, Kristin Asgermyr and Ingegerd Wirehed will present themselves to the faculties and units in a series of joint visits.