Security and privacy
Privacy and data protection are critically important, particularly for our cloud services. Within VASP and VCDM, there are numerous requirements for privacy compliance that start right at the design phase for a new product and carry through to its end-of-life.
These requirements are explained in greater detail in the next chapters, however, as part of this introduction we’d like to emphasise a couple of things:
In Visma, we draw a distinction between “security”, “privacy” and “data protection”:
Security, or more accurately in our context here: application security is concerned with finding, fixing and preventing security vulnerabilities, in order to protect the assets in the application from threats and attacks.
These assets can be the application itself, but is in most cases data. Your accounting data, payroll and expense claims, user data, invoice information etc. Any data that you as a customer process using our products.
This means that application security, while based on a risk- assessment of the types or categories of data that are being processed by the application, does not primarily concern itself with how data is used, how it can be used or even what types of data it is. It focuses narrowly (and correctly!) on how to protect it.
This is where privacy and data protection come in. “Privacy” in this context means the privacy protections afforded to individuals for their personal data through the GDPR, the General Data Protection Regulation. “Data protection” means the protection of customer data, such as accounting data, in an application including any personal data.
In a word, application security protects a container. Privacy and data protection is about what’s inside the container.
Privacy and data protection focuses on the data itself:
- What type and categories of data is it?
- What is the legal basis for processing the data?
- What are the legitimate purposes for processing the data?
- Are there any particular risks associated with this type of data?
- Which rights and obligations does Visma, our customers and individual users have as a result of the types of data processed in our products?
- What security measures and functionality should the product support in order to meet these rights and obligations?
These and many other questions are the bread and butter of data protection. Within VASP and VCDM, we have split security and data protection into two separate but complementary domains through the independent role of the “data protection manager”:
The Data Protection Manager (DPM) is a role modelled after the Data Protection Officer (DPO) role mandated by the GDPR. In the Visma group of companies, there is only one Data Protection Officer, however, every legal unit in Visma has a DPM. The DPM acts as an advisor and contact point for matters related to privacy and data protection within his or her particular organisation in Visma.
Just like the DPO, the DPM is an independent position. This independence is crucial in enabling the DPM to act with a mind to protect the privacy and data of data subjects and customers in an appropriate manner. The DPM reports to management of his or her company, and to the DPO.
In VASP, the DPO is an important stakeholder for everything concerned with privacy and data protection within the program, and is also automatically notified of any security incident with a privacy or data protection impact.
Further, every Security Self-Assessment is reviewed by the DPO and/ or representatives of the DPO, which means that before any product is certified for either VASP or VCDM, it has to be reviewed by both security and the DPM. (More on the review process the “Design and Development” chapter below).