What is Data Protection Day?

Data Protection Day is celebrated internationally on January 28th each year to promote privacy and raise awareness on best practices when it comes to data protection. 

The day focuses on raising awareness for individuals, businesses and consumers and how we can better protect our data and private information in the digital space. 

Why is this an important initiative? Many people are unaware of how their personal data is being collected, used, and shared. The goal of this day is to inspire people to take action to better protect their personal information online, especially on social media. 

Did you know that your privacy and data online is protected by Article 8 of the European Convention on Human Rights? This illustrates the importance of the topic, and why it should not be taken lightly. 

How can you as a consumer become better at protecting your data?

As a consumer, it is important to make informed and educated decisions when sharing your personal data, especially with businesses. Your personal data such as age, gender, purchase history, and location have great value. It’s important to keep that in mind when deciding what you share and with whom. 

The same goes for downloading an app: You’re often required to give the app owner access to certain information to use it. This can be your list of contacts, location, health data, photos, and microphone. 

Sometimes, this is not relevant information for the service offered. In those situations, you should consider what you’re comfortable with sharing, look into the terms of service and manage your privacy settings.

Companies, on the other hand, need to make sure that they keep their customers’ data protected at all times and in accordance with current regulations. The same goes for their vendors and partners. 

A breach where customer data is leaked can lead to a loss in both reputation and customer trust, in addition to the financial loss which can be just as devastating to a business.

Risk should always be managed, and to create trust, the company should be transparent on how the business is collecting, using and sharing end users’ personal data.

Additional reading: What is social engineering and how to prevent such attacks?

How does Visma work with privacy and data protection?

Visma is committed to safeguarding the data we are trusted with from our customers, employees, and contact persons. As a European corporation, we are subject to European privacy legislation, including the General Data Protection Regulation (GDPR).

Here are the three most important long-term actions we take in relation to privacy and data protection: 

• Security awareness training of our employees
• Systematic focus through our internal security assessment that continuously audits the data protection skills and abilities of our services
• Monitoring of progress (index) of the work we do within security and data protection 

Let’s dig a bit deeper into how we specifically work with data protection in Visma: 

Organisational commitments demonstrate that we take data protection seriously

What initiatives do we carry out to ensure top focus on security and data protection? Here is an overview of:

• Dedicated privacy resources on both group level and company level

Every Visma company is tied to a privacy resource, also known as a Data Protection Manager (DPM). In addition, a legal council has been assigned at the organisation group level–the Visma group Data Protection Officer (DPO). Together with the corporate compliance team, the DPO is responsible for all DPM’s and data protection in Visma.

• Independent Visma Privacy Council

We have also established the independent Visma Privacy Council, where all divisions and business interests are represented. It’s led by the DPO and monitors compliance with GDPR and makes all strategic decisions regarding data protection in Visma. Monthly meetings have been held since 2016.

• Subscription management centres and privacy support emails

We have established subscription management centres where external contact persons can manage, edit and delete their personal data in relation to marketing. Moreover, dedicated privacy support email addresses have been established to handle customer or data subject questions and requests.

• Building a strong security culture internally

We are continuously running campaigns and activities to build a strong privacy culture among our employees, to promote a proactive approach to privacy. 

• Streamlining audit reports, certifications and other generic information

We are using the current request from customers on privacy audits and questions to predict how we can streamline audit reports, certifications and other generic information to customers.

• Fulfilling the information security requirements brought by GDPR (General Data Protection Regulation). 

We have a strong security culture going back to before GDPR and have a dynamic approach to this aspect of the business. We fulfil the information security criteria brought by the GDPR (article 32).

You might also be interested in reading: What is financial cybercrime and how to prevent it?

Investment in training increases knowledge and affects our behaviour

What specific training and awareness activities do we run?

• Visma employees are enrolled in the Visma mandatory data protection e-learning course
• DPMs have dedicated communication channels, meetings and workshops
• Stakeholders in a (potential) privacy breach, in particular development, operations and customer account managers, are drilled and included in the incident response routine.
• The incident response routine is operated by a dedicated team of security experts that assists with everything from initial notification of stakeholders of an incident to final lessons learned sessions. This way, Visma is able to fulfil all legal requirements tied to incident handling.

Understanding the personal data we process, how we process it and the risk of it

How do we work as a Data Processor and Data Controller?

Visma as Data Processor

The services and products that we offer are subject to a security and privacy self-assessment regime to meet the commitments we take on as data processors towards our customers.

Moreover, the self-assessment regime maps out the privacy abilities, skills, weaknesses, assesses risk and facilitates mitigation of risk, in addition to a series of security areas.

Lastly, mitigation is systemised in a ticketing system and monitored through a live index to ensure progress and detect bottlenecks.

Visma as Data Controller

We do internal control documentation each year to check the processing routines of personal data, both the data that belongs to our employees and to our customers, according to GDPR requirements.

The purpose is to ensure transparency towards data subjects on how we process their personal data, also demonstrated through the Visma Privacy Statement (customer contact persons) and internal routines (employees).