There’s not long to go now: On 1 September 2023, the revised Data Protection Act will enter into force, introducing increased disclosure, information and reporting obligations. All companies are affected by the new data protection law, regardless of their size. Indeed, all have a wealth of data at their disposal: from customers, suppliers, business partners and employees. Against a background of digitalisation and cyber attacks, the new provisions require companies to ensure data security and significantly reduce the risk of misuse of personal data.
The revised Data Protection Act will apply from its effective date of 1 September 2023; there are no transition periods. This means that companies must take urgent action in the next months if they have not yet aligned their data protection policies with the EU’s General Data Protection Regulation (GDPR), i.e. with the EU standards on which the Swiss law is based.
So, what do you need to do to comply with the new data protection requirements?
First of all, it’s important not to underestimate the expertise required in the area of data protection; the material and human resources; and the time needed to comply with all the regulations.
5 to-dos
1. Record processing activities
Under the new law, companies are subject to increased information duties. This means that natural persons must be adequately informed about the processing of their personal data. This includes, among other things, information such as the identity and contact details of the person responsible for data processing, the purpose of processing, recipients of the data, justification for data processing and information on the duration of storage, etc. (to learn more (in German or French), see here). In addition, the data subject rights must be safeguarded, i.e. the rights of the data subject vis-à-vis the company processing the data. Consequently, the company must be in a position to provide a data subject with information on the processing of his or her personal data. As a rule, this must be done within 30 days, which is not long considering the time and effort that may be required.
All of this relies on knowledge of the (business) processes and activities that involve the processing of personal data, the purpose for which this is done, and whether or which data is also disclosed abroad and/or to third parties. A comprehensive stocktake is vital and may be carried out effectively as follows: first, create a directory or inventory listing every process involving or processing personal data. Label the individual processes with their key features; this will not only give you an overview of processes, but also provide a solid basis for evaluating them in terms of data protection risks. Companies with more than 250 employees are required to maintain a formal directory, i.e. the “register of processing activities”. However, even companies below this threshold are required to know their processing activities and assess the risks, which is why they too must in effect keep an inventory or list.
2. Identify, analyse and assess risks
Once you have completed the inventory by listing all the processes for processing personal data, the highly important risk assessment begins. This involves assessing the data protection risk relating to the data subjects for each process listed in the inventory. To do this, you should assess and classify the probability and impact of various potential risks in processing. Put simply, the greater the amount of personal data involved in a processing activity, the more parties involved and the more sensitive the data, the higher the risk. If the features of the respective processing activity have already been appropriately recorded in the inventory of processing activities, you’ll have the risk assessment done and documented quickly and efficiently.
3. Get technical and organisational measures right
The next step is to check whether appropriate technical and organisational measures (TOM) have been defined and implemented for the respective processing activity. As a rule, the higher the risk identified for a processing activity, the stronger and more comprehensive the measures need to be in order to reduce that risk to an acceptable level. As part of the risk acceptance of a company or organisation, technical measures (usually IT security precautions) or organisational measures (such as directives and controls) need to be defined in order to minimise the risk. Companies or organisations are therefore required to define and implement appropriate TOMs to prevent cyber attacks, data theft or other data loss. This is done based on the assessed risk (see point 2: Identify, analyse and assess risks). The risk assessment must be checked regularly to ensure that it is up to date. Similarly, the TOMs must be adapted to new circumstances and ongoing technical developments as required. It is also important to ensure regular reviews of the correct implementation and effectiveness of the TOMs. To be able to prove the due care of the company (and the responsible bodies) in any criminal proceedings, it is essential that risk mitigation activities are documented.
4. Meet new information duties
Management bodies of companies or organisations that do not adequately meet their information duties when collecting personal data in the future risk criminal sanctions and fines of up to CHF 250,000. In particular, information must be provided about the identity and contact details of the company or organisation that collects the personal data, about the purpose of processing and, in the case of disclosure to third parties, about the recipients. If personal data is disclosed abroad, the countries as well as any applicable safeguards to ensure adequate protection of the personal data or the applicable exceptions must be communicated. Notifications are typically made in data protection statements on the website if they are directed at third parties. Employees are usually informed via personnel regulations or appendices to the employment contract. For specific software or applications, the information can often be found in an application-specific privacy statement.
5. Safeguard processes – ensure effectiveness of internal workflows
Many internal processes need to function smoothly in order to comply with the data subject rights mentioned under point 1 (Record processing activities) (e.g. requests for information or deletion), or to be able to respond to data protection incidents in compliance with the law (e.g. if personal data is unlawfully lost). Creating checklists or process diagrams is recommended to set out what employees or their deputies have to do in the respective situation and when the tasks defined for a particular case have to be completed. The following (overarching) questions can be helpful in ensuring that internal processes work properly:
- Is the procedure for data protection incidents clearly governed? Are the responsibilities defined and does the defined internal process meet the obligation to report to the Federal Data Protection and Information Commissioner (FDPIC) within 72 hours?
- Can resource planning and the defined processes accommodate the processing and fulfilment of requests for information or deletion, even if a large number of data subjects make such requests at the same time (deadline: 30 days)?
- When new IT systems are implemented or changes are made to systems or software, do you ensure that a check is performed to determine whether a data protection impact assessment is necessary?
- What is the procedure to follow when processes involving the processing of personal data are introduced or changed?
- Have all necessary measures been taken to fulfil the information duties (incl. creation or amendment of the data protection policy, general terms and conditions, etc.) and have responsibilities been clearly defined?
It’s a good idea to work through the to-do items set out in this article until the revised Data Protection Act enters into force. Implementing the measures outlined will help you be ready – and data protection-compliant – on 1 September 2023.
More articles and publications can be found using the search field above or from the menu under “Insights”.
Get a knowledge edge and subscribe to BDO News and Insights.
Please fill out the following form to access the download.