InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
Data protection means the protection of personal privacy. In the digital world, our personal and fundamental rights have been protected by a law and an equivalent regulation since 1992. We remember it well – in 1992 it was three years before the first online sales (Echo Bay which is now eBay) and a full five years before Google was launched. Both of these areas are exactly those privacy protection still remains a challenge to this day. It’s an open secret that the Swiss federal law and the associated regulation are no longer appropriate for today's digital age. The next generation, which intends to meet today's challenges, is ready to go in the form of the current draft version of the new federal law on data protection, the E-DSG. This draft is currently in the process of being revised and will be debated in Parliament in the autumn 2020 session. Read this article and find out about the innovations and challenges that the draft new law brings with it.
In May 2018, the European Union's new General Data Protection Regulation (GDPR) was introduced. At the time, the question of whether or not the GDPR applied to Swiss companies was the cause of great uncertainty. The new Data Protection Act (DSG) is strongly oriented towards the GDPR, so companies that already implement the GDPR regulations are well prepared. It means that many of the processes, guidelines, specifications and templates are already in place and in use. There will need to be only marginal adaptations in terms of the new Swiss data protection regulations – provided that the homework on the GDPR has been learned. Nonetheless, internal and external data protection declarations must be brought into line with the new law, and existing processes must be adapted or expanded as appropriate.
Companies that until now complied only (or for the most part) with Swiss legislation will be faced with a number of challenges under the new federal law. Most importantly, a significant amount of resources and expertise will be needed.
Under the new Data Protection Act, companies with 250 employees or more must keep records on the processing of personal data. This applies to both data controllers and data processors (under the GDPR).
To implement this, the business processes must be analysed and the processed data recorded and then actively managed. There are many challenges associated with this process, ranging from identifying personal data, categorising or classifying them, to repeatedly updating the registers and identifying personal data that is transferred to third parties. With the help of data protection experts, this becomes easier and more efficient.
These inventories or lists of processing activities may also be the basis for providing information to both the authorities and the data subjects in cases where data may have been lost and/or disclosed within the required deadline. The corresponding requirements of the new Data Protection Act – to inform the data protection and public relations officer of the FDPIC and, where there is a high risk, also the persons concerned “as quickly as possible” – require a process with clearly defined responsibilities and the provision of specifications and guidelines.
But what are the changes for companies in concrete terms? Below is an overview of the most significant innovations and changes in the draft Data Protection Act which may have a direct impact on business processes and procedures:
As you can see, analysing business processes and knowing where which data is processed is the foundation for success in implementing legal compliance with the new Data Protection Act.
Even though the debate on the new data protection law is only just beginning to resolve the discrepancies, and it is hardly realistic to expect it to be introduced before mid-2021, it would be a mistake to underestimate the effort required to plan and implement the work needed. Experience shows that it takes one to two years to implement the measures mentioned above – in other words, companies need that time to get ready to implement them. The following procedure is helpful if you are just starting out on this.
As stated previously, in the event of data protection incidents, you need to inform as quickly as possible. Find out what processes and precautions have been taken in your company to deal with data protection incidents. Has a person with responsibility for data protection been appointed and is the person known, or do you need to appoint a data protection officer? (DPO, Data Privacy Officer)
Data protection is a complex issue. Digitalisation and the growing threat of cyber attacks do not make it any easier. It is advisable for many companies to consult external experts on a project by project basis or on a mandate, because experience and comprehensive expert knowledge are indispensable for dealing with issues like the implementation of the new Data Protection Act. What is it looking like in your company?
Our experts will accompany you right from the planning stage to the implementation of all the steps required – for example, analysing your data stocks or in the case of complex data protection, impact assessments. On top of that, we offer you the option of using a “Data Protection Officer (DPO) as a Service”, who can support and advise you on all questions pertaining to data protection.
Move with the times and have confidence in our expertise and experience. Contact us – we will be happy to advise you about our services in the field of data protection and compliance.