GDPR and absenteeism data: why secure software is essential

At Otherside at Work, we develop technology that supports organizations in absenteeism management, sustainable employability and social security. A lot of privacy-sensitive data is processed in this process. How do we ensure that your absenteeism data remains secure and that your processing complies with the GDPR? Stef Roskam, VP Engineering at Otherside at Work, shares his vision on data security.

What makes absenteeism data so sensitive?

Stef: "Absenteeism data fall under special personal data. Think of sick and recovery reports – these are data that fall under the categories with the most rules of the GDPR. Employers and occupational health and safety service providers have the responsibility to process this data securely. Our job is to support them with tools that allow them to live up to that responsibility. Think of determining who has access and how long you want to keep certain data. We ensure that this can be set up in the Xpert Suite GDPR-proof." He adds: "Processing privacy-sensitive data requires a combination of technical measures, such as encryption, and organizational measures, such as clear agreements about who is allowed to view which data. That is why we have also made a number of choices in the technical architecture of Xpert Suite that fit well with the requirements of the GDPR. At Otherside at Work, we build our software with these responsibilities in mind."

What if you don't have data privacy in order?

There are several consequences of poor data privacy: "A data breach can lead to legal and financial consequences with fines from regulators or claims from data subjects that bear the negative consequences of your mistakes. For our company, perhaps the most important thing is the reputational damage. If the trust of customers, partners and employees is gone, that is the greatest risk to the continuity of our company. The same actually applies to our customers." He adds: "Recovering from a data breach often takes a lot of time and resources. With the Xpert Suite, we help customers to greatly minimize the risks of a data breach."

How Xpert Suite protects your data

Stef explains how Otherside at Work tackles these challenges with the Xpert Suite.

 Dutch data centers

"We consciously choose to store data locally in various Dutch data centers. This allows us to minimize compliance risks. Customers can be sure that their data will stay within the EU, and thus stay away from discussions about foreign regulations." Stef emphasizes: "We only work with parties that comply with the GDPR legislation and other relevant standards. We do not use American cloud providers in the basis of our product, to avoid possible complications around regulations."

 Security of our network

"Our storage is not directly accessible via the internet," says Stef. "In this way, we minimize the risk of data breaches due to human error or misconfigurations." He also gives a few examples of our security measures:

• "We apply extensive network segmentation and multiple layers of firewalls.
• Development, testing, acceptance and production environments are strictly separated. Every code change goes through the entire chain before it goes into production.
• We encrypt data. Even if someone gains access, the information is not immediately readable.
• The certificates used to create cookies are automatically rotated daily."

Security on data storage

When designing our data storage architecture, we make conscious choices to ensure both security and manageability. Stef explains our most important decisions below:

• "For the storage of data, we deliberately do not opt for an architecture with microservices, where data is stored in a decentralized manner, but we opt for one database per customer, so that data can be easily cleaned and deleted.
• We consciously choose a storage medium with built-in encryption options, but where data can be deleted unlike, for example, a blockchain or inmutable event store.
• For the backup solution, we do opt for temporary inmutable backups with multiple backup locations, so that the risk of data loss is minimized.
• We have also included in our architecture that all data access must be carried out with authorization checks. Access via APIs must therefore also be authorized for the right data and features. Many systems work with a much more superficial authorization mechanism. This allows administrators and developers to make mistakes more quickly, and hackers can exploit it much more when a weakness is found."

Structural monitoring of vulnerabilities

Keeping your homemade software safe alone is not enough for good security. That's why we keep an eye on our total stack:

• With tooling from the Software Improvement Group, we continuously monitor for vulnerabilities in our software and in the libraries we use.
• We use vulnerability scanning to scan our infrastructure.
• With penetration testing and bug bounty programs, vulnerabilities are actively searched for that cannot be found with tooling.

Privacy by design & by default
"Privacy is ingrained in the Xpert Suite," says Stef. "We minimize what data is stored, because customers can define a lot themselves here. So only data that suits their own situation is requested. We also offer the tools in the tool that support a good retention policy. The retention periods differ greatly depending on the customer's exact situation. So they must be able to set what applies to them." Examples are:

• Medical records: Retention period of 20 years (or longer in the case of work-related disorders).
• Case management files of absenteeism counselling: A maximum of two years after completion of a process.
• Appointment files: A maximum of six months.

We also support an extensive authorization model. You can determine in detail which documents and data should be transparent and adaptable for which roles.

CertificationsYou can set everything up perfectly, but that only has value if customers can rely on it. One way to give customers more confidence in this is with the help of various certificates and statements. Otherside at Work has the ISO 27001 and NEN 7510 certification. Cons we have a SOC2 statement every year. "These quality guarantees give customers the assurance that we meet international standards," explains Stef.

• ISO 27001: "This confirms that our information management system is structured and that we are constantly updating our choices."
• NEN7510: "ISO 27001 is the globally recognized standard for information security. The NEN7510 is the derived Dutch variant specifically intended for healthcare providers, such as hospitals or pharmacists. This provides a number of extra specific guidelines for measures to be taken when you process medical data."
• SOC2: "A SOC2 statement is a very valuable addition to an ISO or NEN certification. This gives certainty that you not only say that you work in a certain way, but also that you have done it that way in a certain period of time. Every year, an independent auditor looks at all activities that have been done in the past year. This demonstrates that we have worked in accordance with strict procedures for a long time. It therefore offers a lot of extra security for our customers."

He emphasizes: "This combination of certifications and declarations shows that we not only have the right processes in place, but also consistently comply with them."

Why choose Otherside at Work?

Stef concludes: "At Otherside at Work, data privacy is a top priority. With our Xpert Suite, we offer customers a safe and reliable solution for absenteeism management. Our focus on local data centers, network security, secure data storage, continuous monitoring and certifications ensures that our customers can work safely and privacy-proof with the special personal data processed by us."

Want to know more about how Xpert Suite can support your organization? Please contact us.