The General Data Protection Regulation (GDPR), is an EU regulation that came into effect on May 25th 2018, and 20.07.2018 in Norway. It is the most significant change in data protection regulation in decades, and aims to strengthen and clarify the data- and privacy protections of individuals, and also to simply regulations for businesses. This affects not just Visma as your service provider, but also your business:
When you are using products and services from Visma, you are "processing" the personal data of your users, employees, contacts, customers and so on, for purposes determined by you. "Processing" means any use of personal data, such as collecting it, storing it, and modifyng it. For example, you will process personal data in order to pay a a supplier invoice, pay your employees, or render professional services, if you are for instance an accounting office.
This makes you a "data controller". A data controller is someone who determines the means and purpose for processing personal data. For example, using Visma.net Expense (the means) to provide your employees with an application for expense claims (the purpose).
If you are using a cloud- or online service from Visma, such as Visma.net Expense, Visma is your "data processor". This means that we process the data on your behalf and instruction, in order to provide you with the service. This can be for example to provide hosting, security and support.
This page outlines your duties and obligations as a data controller. However, this is not a comprehensive or authoritative guide: we recommend that you acquire the knowledge and skills to assess your use of personal data in the context of your business, so that you can best meet your obligations as a data controller.
The best place to start, is often the information provided by you local Data Protection Authority. These are authoritative sources, and provide comprehensive information and guidelines in easy to read formats:
Whenever you are processing personal data, you are responsible for that processing. This means that you are independently responsible for your use of personal data, and that it is you as the data controller that has to be "compliant".
For example, under the GDPR, the data controller is responsible for maintaining a register of the types of personal data that are being processed. In many of our systems, you will configure this yourself. This can be the information about your customers you collect through a Visma- webshop, or what fields you configure in your ERP database. This means that it is up to you to maintain this register.
The GDPR and how to comply with it is a very big and comprehensive topic. It is always useful to begin with first principles:
Principles for processing personal data
Personal data shall be:
- Processeed lawfully, fairly and transparently in relation to the data subjects. ("Data subjects" are persons you process data about, such as your employees and customer contacts.)
- Collected only for specified, explicit and legitimate purposes, and not processed further in a manner that is incompatible with those purposes.
- Adequate, relevant and necessary in relation to the purposes. This is often called the "data minimsation" principle.
- Accurate, and where necessary, kept up to date.
- Kept for no longer than is necessary for the purpose.
- Processed in a manner which ensures appropriate security. ("Appropriate" means that the security measures employed to protect the data, should be appropriate to the risk represented by the processing. This means you need to perform a risk assessment before you start to process personal data.)
What should you do?
Whether you are a one-person company or a large enterprise, the following general guideline can be used. The particulars, such as whether or not you should have a Data Protection Officer, depends on the nature, type and volume of your processing of personal data.
- Aquire knowledge and competence about what the GDPR is in general, and how it affects your business in particular. The links to the various data protection authorities above are a good starting point. Always keep the principles for processing personal data (see above) in mind, as these are legally binding.
- Identify and classify the types and categories of personal data you process, including the IT systems you use to process the personal data. (For instance "customer contacts" or "employees"). Remember in particular to identify if you are processing special categories of personal data, colloquially referred to as "sensitive personal data".
- Identify the IT systems you use to process personal data.
- Identify any data processors you use, such as email service providers, or Visma.
- We recommend you create a data flow diagram based on the information from 2, 3 and 4 above. I.e. a diagram show where personal data flows between the various systems, components and integrations you use. For example, you may have built an integration between your ERP system and your CRM system. Such diagrams are very useful for purposes of security, compliance and transparency.
- Determine the purpose for processing, per category of personal data. For example, "webshop user accounts" could be one category, processed for the purpose of providing user sessions. According to the principles outlined above, the purpose for processing personal data must be specified and explicit, so vague or ambiguous language is not permitted.
- Determine the legal basis for each of you processing activities. The various legal basis are listed in the GDPR's article 6, and also keep in mind article 9 if you are processing sensitive personal data.
- Assess the rights of "your" data subjects in the specific context of your processing, in order to assess your role as a data controller, in particular with regards to transparency and information. Note that the rights of the data subject are determined in part by the purpose for processing and the legal basis. For example, if you use consent from the data subject as a basis for processing, the data subject has the right to withdraw that consent.
- With the above information, perform a risk assessment for your company's processing of personal data, and if you need to, for individual IT systems or data processing activities. Risk assessments should be performed before the actual processing of personal data begins. The output of the risk assessment should be action points and risk-mitigating measures to help you with achieving compliance:
- Implement the risk-mitigating measures into your internal controls, processes and IT- systems, including procedures for handling data breaches and other security incidents.
What are "risk-mitigating measures"? It depends entirely on your particular context, but here are some examples:
- Enter into data processing agreements with your data processors. For our customers, we have a data processing agreement as part of our Terms of Service.
- Review access controls and policies- who needs access to personal data, and for what purpose?
- Ensure you only collect data required for your legitimate purposes. (For example, do you really need to collect social security numbers in your webshop? Should than newsletter you want to send perhaps be something your customer opts into rather than has to opt out of? Do you really need copies of twelve year old payslips on that server?)
- Review how you configure and use IT systems. This is very important, as many systems can be configured in a manner to help you with compliance. This is not just with regards to the data you collect and process, but how the system itself is configured in terms of security, user controls, audit trails and so on. We've written guidelines for many of our products, which are available from the service information page.
- Secure your devices! Cloud services are normally very secure, but the computer, phone, tablet, router etc. you use to access it, may not be. Ensure you use strong passwords, apply security patches and anti- virus, use secure networks and so on.
As your data processor and producer of the product or service you use, we are generally responsible for providing you with enough information so that you can make an informed choice and decision about whether or not you can use our products and services in a compliant manner, and fulfilling the duties of the "data processor".
- To only process the personal data on your behalf and instruction, and subject to appropriate safeguards.
- Only use other processors (such as hosting providers) as authorised in the Terms of Service (link anchor DPA), and as notified in advance.
- Taking into account the nature of the processing, such as with regards to what we know about what data you put into the system or how you've configured it, assist you in responding to requests for the exercise of the rights of a data subject, and with your obligations with regards to: