The Privacy Self Assessment
The Privacy Self-Assessment (PSA) is a key component of the SSA, and consists of several items in the SSA specifically about privacy and data protection, and one or more risk assessments.
The risk assessments consists of two parts:
Data classification, detailing such things as data ownership, the types and categories of data processed in the system, where it is processed, how long it is stored for, and if any subprocessors (for example a hosting provider) are used. The classification also includes a three-tiered rating of the data’s confidentiality, integrity and availability.
Risk assessment, where the risk represented by the processing is evaluated for both the data subject and for Visma. The risks are reviewed by a member of the security team in conjunction with the security self-assessment, and also by the Data Protection Manager.
Risks are categorised as “Acceptable”, “Medium” or “High” according to criteria in the data classification. Medium and High risks are reported to the Group Product Development Manager or Development Director respectively, who approve the risk mitigation actions. (The Group Product Development Manager is responsible for a set of products.)
This ensures that the security-level in any given solution is based on a risk assessment that takes into account both technical aspects (such as a security vulnerability) and the potential impact of a data breach on anyone whose data is registered in the system. Further, it ensures that risk mitigation is a management responisbility.
In addition to the requirements in the SSA and PSA, every service is assigned a minimum level of security based on the data classification and other considerations, such as business criticality- please see the next two sections.
As a minimum, every service performs a risk assessment for Visma’s role as a data processor, but will also perform context-specific risk assessments, such as for new integrations or change of a hosting provider.
The second part of the privacy self-assessment is a section inside the security self-assessment dedicated to privacy. For example, we map all personal data types (name, email, IP-address etc) that is processed in the application, the ability to delete, return, correct and update personal data, and similar key requirements for processing personal data.
The Privacy Self- Assessment is approved by the Data Protection Manager. This means that we’ve separated approval for our services for processing personal data to separate and independent parties.