Privacy
How Visma handles privacy incidents
To minimise the business impact that incidents have on Visma and on customers of Visma, we have a dedicated team and a defined process for handling incidents. This process and its specialised team are a vital part of the Visma Application Security Program.
Involvement from Visma Data Protection organisation
The Visma Data Protection Council meets monthly and part of the agenda is to walk through any relevant incidents and discuss needed actions for the whole of Visma. All DPMs participate in a mandatory workshop yearly where we look at trends in reported incidents and ensure that all DPMs are updated.
If you have any questions or comments about the process itself, please contact us by using this form.
The incident handling process
1. Alert Received
Whenever Visma receives an alert about a potential privacy incident, our Security Operations team is contacted immediately and an Incident Coordinator is appointed.Incidents might be reported directly from our customers or from our employees at Visma. To ensure we act promptly, employees are trained in how to recognise a privacy incident and how to report it.We have a low threshold for starting our incident response procedure. If you need to send an alert, please contact your customer contact or send an alert directly to [email protected]. The team is available 24/7.
2. Assess and resolve the incident
A dedicated Incident Response Team is set up to find the root cause and resolve the incident. Our team of experts in cyber security has deep technical expertise in various fields, and participates in the problem solving as needed, in addition to the experts of the product affected by the incident.
The security professionals on our Security Operations team handle day-to-day security operations including being subject matter experts in incident handling. The team also handles our security systems and frameworks, and provides training and guidance to our product teams in matters related to security.
Visma Group Legal including the local Data Protection Manager (DPM) is always part of the response team for privacy incidents, to ensure that risks are assessed and proper communication is done. Internal and external stakeholders are informed continuously through this process.
To ensure efficient and transparent communication, we set up dedicated chat rooms for the specific incident, involving only the personnel needed.
Mitigating actions are done as needed to ensure we fix the problem and prevent it from happening again. The actions and their timeline are documented in the Incident Report, in addition to the root cause analysis, details describing the incident, and the consequences for any data subjects involved.
Crisis management
If an incident reaches a certain level of significant negative impact, it is classified as a crisis. Impact in this context involves any major negative impact to life and health, financial impact, data protection and more.
Upon a suspected crisis, the crisis management team is mobilised. The crisis management team involves Visma Group Management members as well as related and relevant members of Visma companies involved in the crisis. The crisis management process describes and initiates clear roles, responsibilities and actions to be performed and aims to prevent crisis in high impact incidents, as well as carry out crisis impact assessment, crisis handling and crisis closure.
Filing reports to the local data protection authority
Visma operates in many countries and reports shall be given in the country where the data subjects involved are located. Visma will report incidents if we are the data controller for the personal data. In cases where we are the data processor, we will inform the data controller (our customer) and they will decide if it is necessary to file a report or not.
We recommend our customers to follow the guidelines from the EDPB.
3. Review and close the incident
When all actions are done and operations are back to normal, the incident is closed in a Review Meeting with all participants. Visma Group Legal is always part of these meetings for privacy incidents. The Incident Report is gone through in detail to ensure it is complete.
The adherence to the process itself is also reviewed, for us to learn if we need to make adjustments to our process for handling incidents or if the team needs further training in how to handle such incidents.
