Data protection means the protection of personal privacy. In the digital world, our personal and fundamental rights have been protected by a law and an equivalent regulation since 1992. We remember it well – in 1992 it was three years before the first online sales (Echo Bay which is now eBay) and a full five years before Google was launched. Both of these areas are exactly those privacy protection still remains a challenge to this day. It’s an open secret that the Swiss federal law and the associated regulation are no longer appropriate for today's digital age. The next generation, which intends to meet today's challenges, is ready to go in the form of the current draft version of the new federal law on data protection, the E-DSG. This draft is currently in the process of being revised and will be debated in Parliament in the autumn 2020 session. Read this article and find out about the innovations and challenges that the draft new law brings with it.
In May 2018, the European Union's new General Data Protection Regulation (GDPR) was introduced. At the time, the question of whether or not the GDPR applied to Swiss companies was the cause of great uncertainty. The new Data Protection Act (DSG) is strongly oriented towards the GDPR, so companies that already implement the GDPR regulations are well prepared. It means that many of the processes, guidelines, specifications and templates are already in place and in use. There will need to be only marginal adaptations in terms of the new Swiss data protection regulations – provided that the homework on the GDPR has been learned. Nonetheless, internal and external data protection declarations must be brought into line with the new law, and existing processes must be adapted or expanded as appropriate.
Companies that until now complied only (or for the most part) with Swiss legislation will be faced with a number of challenges under the new federal law. Most importantly, a significant amount of resources and expertise will be needed.
Creating inventories of processing activities
Under the new Data Protection Act, companies with 250 employees or more must keep records on the processing of personal data. This applies to both data controllers and data processors (under the GDPR).
To implement this, the business processes must be analysed and the processed data recorded and then actively managed. There are many challenges associated with this process, ranging from identifying personal data, categorising or classifying them, to repeatedly updating the registers and identifying personal data that is transferred to third parties. With the help of data protection experts, this becomes easier and more efficient.
Data Breach Notification
These inventories or lists of processing activities may also be the basis for providing information to both the authorities and the data subjects in cases where data may have been lost and/or disclosed within the required deadline. The corresponding requirements of the new Data Protection Act – to inform the data protection and public relations officer of the FDPIC and, where there is a high risk, also the persons concerned “as quickly as possible” – require a process with clearly defined responsibilities and the provision of specifications and guidelines.
Innovations in terms of the existing data protection law
But what are the changes for companies in concrete terms? Below is an overview of the most significant innovations and changes in the draft Data Protection Act which may have a direct impact on business processes and procedures:
- Setting up and managing an inventory of processing activity.
- Increased obligations to inform data subjects about the processing of their personal data.
- The obligation to allow data subjects to exercise the right to portability or deletion.
- In the event of data breakdowns or losses, the authority (FDPIC) must be informed, and where necessary all persons affected by the data breakdown must be also be notified.
- A data protection impact assessment must be conducted in the case of data processing operations that present a high risk in terms of the protection of personal privacy or the fundamental rights of the data subjects.
As you can see, analysing business processes and knowing where which data is processed is the foundation for success in implementing legal compliance with the new Data Protection Act.
Preparation is half the battle – especially with data protection
Even though the debate on the new data protection law is only just beginning to resolve the discrepancies, and it is hardly realistic to expect it to be introduced before mid-2021, it would be a mistake to underestimate the effort required to plan and implement the work needed. Experience shows that it takes one to two years to implement the measures mentioned above – in other words, companies need that time to get ready to implement them. The following procedure is helpful if you are just starting out on this.
- A first step is to consider what personal data is processed within your company and in which business processes. Check the processing objectives of this data and also the lawfulness of their collection. Under certain circumstances, there may already be a consent for the person concerned, or there may be a legal basis for processing the personal data.
- You should also check where and to whom you are sending this data. If personal data is transferred to third parties or even abroad (EU / USA or third countries), on the one hand legal restrictions apply, and on the other hand contracts with order processors must be created and managed.
- Compile this information so that you have an inventory of the systems and processes that process personal data.
- You should now examine the new Data Protection Act's legal requirements for processing activities using a CAP analysis, identify the need for action and define the appropriate measures.
As stated previously, in the event of data protection incidents, you need to inform as quickly as possible. Find out what processes and precautions have been taken in your company to deal with data protection incidents. Has a person with responsibility for data protection been appointed and is the person known, or do you need to appoint a data protection officer? (DPO, Data Privacy Officer)
Are you ready for the new Data Protection Act?
Data protection is a complex issue. Digitalisation and the growing threat of cyber attacks do not make it any easier. It is advisable for many companies to consult external experts on a project by project basis or on a mandate, because experience and comprehensive expert knowledge are indispensable for dealing with issues like the implementation of the new Data Protection Act. What is it looking like in your company?
Our experts will accompany you right from the planning stage to the implementation of all the steps required – for example, analysing your data stocks or in the case of complex data protection, impact assessments. On top of that, we offer you the option of using a “Data Protection Officer (DPO) as a Service”, who can support and advise you on all questions pertaining to data protection.
Move with the times and have confidence in our expertise and experience. Contact us – we will be happy to advise you about our services in the field of data protection and compliance.