GDPR – The processing of personal data

As a provider of Expense, Dicom Expense is responsible for the technical as well as organisational protection required to ensure that personal data is being processed in compliance with law. Dicom Expense ensures that the security required for, for example, storage, access control, the opportunity to make register extracts and erase personal data is available. All employees are bound by a secrecy contract prohibiting the dissemination of data, information and the client’s personal data being made available. Only authorised members of staff have access to our systems. You, as the client, are the controller for the processing of all personal data in Expense. Dicom Expense, as the processor, takes the technical and organisational measures to ensure that your personal data is processed securely in accordance with GDPR.

How is Dicom Expense preparing for the implementation of GDPR on 25 May 2018?
Dicom Expense has made an inventory of and documented how we process personal data in our system in accordance with GDPR. It has always been our policy not to process more information than is absolutely necessary.

What information stored in Expense will be affected by GDPR?
All of the data created by the client, such as name, employee code and cost centre. This data is controlled and owned by the client, which gives the client full control over the erasure process. The rules and regulations for GDPR take account of the life expectancy of logs and backups.

Does Dicom Expense use any third-party providers of relevance as regards GDPR?
Dicom Expense uses a fellow subsidiary, Dicom Data AB, 556347-0540, to operate Expense.

Data

Who has access to information?
Besides the clients themselves having access to their data, Dicom Expense support and development services are also able to access the content at the request of the client.

Is the data used for purposes other than the purpose for which the clients use it?
No.

Dealing with breaches

There are five stages of our process for dealing with breaches:

  1. Registration.
    Breaches are registered in our system for dealing with breaches when they are detected.
  2. Analysis
    Breaches registered are analysed to build an understanding of the nature of the breach, which enables us to prioritise and take action
  3. Prioritisation
    Breaches are classified and prioritised to enable us to allocate the right resources for the action
  4. Rectify and report back
    The breach is rectified and promptly reported back to all concerned.
  5. Follow-up
    Breaches are followed up to provide an overview and basis for improvement work to deal with incidents and breaches.

Security

What are we doing to ensure security for Dicom Expense?
Dicom Expense is actively working to improve compliance with the Information Security Standard ISO 27000. This work is being implemented in conjunction with security consultants.

Encryption and Authentication
The Expense service is protected by 256-bit SSL encryption; all information sent to and from our servers is encrypted. Users are verified for each enquiry to our servers where the authorisation of the person logged in is checked. All of our clients’ passwords have one-way encryption, which means that passwords cannot be read even by us.

Storage and Backups
Our services are operated in a security-classified data centre in Stockholm that is monitored around the clock. Backups are stored at another geographically separate security-classified data centre in Stockholm. Our operations staff have access to the data centres around the clock.

Our server environment and network are protected by firewalls and monitoring. Security copies of data are taken several times a day and stored in accordance with our Backup Management Policy. The data for all clients is kept separate from each other.