On 1 September, the long overdue new Federal Act on Data Protection came into force. However, what does this mean for your business? We have the answers and will explain to you what actions your company should take as soon as possible, if this has not happened already.
What is it all about? The new law aims to protect the data of natural persons – people like you and me – from misuse. In view of the fact that the essential features of the current law date back to 1992, an update was more than overdue. Technological progress and digitalisation have not stood still. The revised law is now intended to protect our privacy even under these changed conditions and to enable us to control the processing of our data ourselves.
What does the law cover in specific terms?
Bringing light to the darkness – greater requirements for transparency: your company is now required to provide better and more comprehensive information about the personal data you process and the purposes of this.
Paperwork deluxe - improved data processing documentation:your company must record in detail what personal data you process for what purpose and who has access to that data.
No freedom without security – priority to data security:there is increased focus on the security of personal data. Implications for your business: you must take technical and organisational measures to ensure their integrity.
When things become tricky – reporting obligation for data protection incidents: in the event of serious incidents such as data loss or theft, your company must inform the Federal Data Protection and Information Commissioner (FDPIC) as well as data subjects.
Tough measures when it comes to refusal to comply – penalties for intentional breaches: in the event of breaches of the Federal Act on Data Protection, there is a risk of fines of up to CHF 250,000, mainly for those responsible. If the responsibilities are unclear, your entire company will be penalised.
And what does all this mean for small and medium-sized enterprises (SMEs)?
The measures may vary according to the company, but here are the key steps your company and you should take into account. Problems might otherwise arise.
Designate a person who is responsible for data protection and creates an inventory of the data processing processes: a data manager, so to speak, who first looks at what you are doing with data.
When third parties process data with you, check whether the data is likely to be transmitted abroad and regulate how this works.
Take a closer look at critical processes. A data protection impact assessment may be necessary.
The people whose data you hold must be in the know. This usually happens via the privacy statement on the website.
Take a look at the security of your information systems and adjust them if necessary.
Control how you respond to requests from people who want to know what you are doing with their data. And: draw up emergency plans so that everyone knows how to respond to security incidents.
Find help here
The leaflet from the data protection lawyer David Rosenthal offers practical guidance, especially for SMEs.
The free self-assessment tool by David Rosenthal and his team enables a realistic assessment of the status quo.
Additional forms and templates that David Rosenthal provides here will further facilitate the process.
Data protection lawyer David Vasella and his team run datenrecht.ch, an informational blog with practical checklists and tips.
Yes, implementation may seem complex at first glance. But do not be daunted. Use the resources mentioned to ensure that your company complies with data privacy regulations and that your customers’ and employees’ data remain protected.
For data protection is not a static concept, but is constantly evolving to meet the current technological challenges. As a responsible company, it is your task to ensure the integrity and confidentiality of data. Therefore, start implementing the new data protection requirements today so that we can build a safer and trustworthy digital future together.