Data Protection Program
Visma has a Data Protection Council (Council) that meets regularly, and a corporate Data Protection Officer (DPO), a Chief Information Security Officer (CISO) and Data Protection Managers (DPMs) in every Visma company.
All strategic decisions regarding data protection are governed by the Council in order to ensure transparency and accountability.
Visma's responsibility to comply with applicable privacy legislation has been delegated to the DPO, a formal and independent role as described in the GDPR. In short, the DPO facilitates the privacy work in Visma.
All companies in Visma are subject to the framework and organisational requirements as outlined above. All companies are tied to a DPM resource which continuously reports to and cooperates with the DPO to solve everyday tasks. The DPMs are trained individually and through specific workshops for all DPMs. In addition, all companies report to the Council on topics such as progress on mandatory privacy training, internal control, incidents, and compliance with corporate policies. The Council, in turn, reports to Visma group management and Visma's owners.
Policies & Guidelines
Risk, maturity & monitoring
Visma and our products are constantly evolving. To ensure that we comply with applicable privacy and security legislation while meeting our customers' trust and expectations, Visma has implemented an assessment program. The assessments give us insight into the actual risks related to the product/service.
For any software service we launch in the market, we conduct and review a mandatory privacy and security assessment. The assessments consist of detailed requirements with questions and answers. The assessments are updated regularly.
This assessment is a way of documenting status and mitigating risk. In short, it allows us to keep track of what kind of data is processed, how it is processed, in what manner it is protected and with whom it is shared. This helps us to implement measures to mitigate privacy risks and prevent incidents before they occur.
This assessment examines security-specific areas such as encryption, firewall, access and authorisation controls. It requires an overview of all system components, integrations and connections, data flows, and suppliers. In addition, it deals with infection prevention, cross-site scripting, error handling, and deployment reviews.
Our products are governed by a security and compliance regime that monitors, measures and flags risk. The monitoring is done automatically, 24/7 through a Visma-developed index where anyone within Visma at any time can view the status of our products from a privacy/security perspective. When a risk is flagged, a risk owner is responsible for outlining the risk and monitoring mitigation.
In the event of an incident, our Privacy and Security Incident Response Team, including our Data Protection Officer (DPO), initiates the incident response procedure. The team is specialised in handling security and privacy incidents.
The team and DPO work together with the people responsible for the specific product and/or area of business. This enables Visma to respond quickly and appropriately to incidents, mitigate risk, and ensure that customers receive timely and relevant information.
Awareness and training
The legal environment is changing and new laws and regulations are taking effect to control the collection, use, retention, disclosure and disposal of personal information and data in general.
Simultaneously, the rate of cyber attacks, data breaches and unauthorised use of data is growing. Therefore, it is more important than ever to understand the rights and obligations of individuals and organisations with respect to personal information and customer data.
On this basis, all employees in Visma are subject to privacy awareness training. And all Visma companies are tied to a data protection resource to educate staff.
When customers trust us with their data, they also need to know that we will treat the data with the necessary level of confidentiality.
All employees in Visma have confidentiality clauses included in their employment contracts, and they go through an e-learning course in privacy. The development teams (as well as other teams and employees) receive additional training and support tailored to their roles.
Most teams have a dedicated Security Engineer, who receives additional training in security and privacy. A Data Protection Manager (DPM) is also available for the development teams. This person, together with the Security Team, supports and guides the development teams through the mandatory internal process for security and privacy.
When employees leave Visma, they are reminded that their duty of confidentiality still remains.