What’s it all about?
The new data protection regulation dissolves the former provisions from 1995 in order to better protect the privacy of internet users. The basic regulation came into force on May 24, 2016, and must be consistently applied from May 25, 2018 following a two-year transition period. The provisions affect all companies that:
- process the data of people from the EU
- analyze the data of people from the EU
- offer people from the EU goods or services
It is irrelevant here whether or not the data is processed within the EU or in Switzerland. Those most specifically affected, for example, are exporters, mail-order traders or operators of sales platforms. Anyone violating the regulation can expect a fine.
Experiences at Ronal AG
Ronal AG is based in Härkingen (SO) and is one of the leading manufacturers in the market for alloy wheels, supplying all the well-known automotive producers worldwide as an original equipment manufacturer. This international business model means that Giovanna de Boers, project manager at Ronal AG, has already had to examine the new data protection regulation intensively.
Giovanna de Boers, to what extent does the new EU data protection regulation affect Ronal AG?
As a global manufacturer and supplier of alloy wheels for cars and utility vehicles, we have customers and employees in the EU. Because of this, we are obliged to comply with EU data protection law when handing employee and customer data.
What adjustments have you had to make / do you still have to make within the company?
Thus far, Ronal has dealt with data protection on a rather “ad hoc”, more reactive basis with limited resources. The introduction of the new GDPR has prompted us to set up an appropriate data protection organization with clear responsibilities. Data flows and systems were analyzed and compiled in an inventory. On top of this, a fit gap analysis was carried out to identify the necessary measures for implementation. Furthermore, we reviewed contracts with third-party providers to assess their conformity with data protection and adapted them where necessary, established contractual regulation of transnational data transfer, recorded all business activities, issued corresponding guidelines and adapted internal processes. Using data protection impact analyses, we are clarifying communication requirements and compulsory statements. And last but not least, in order to ensure that employees remain informed about their rights and obligations and comply with the rules, we are preparing training sessions and audits for the near future.
What tips can you offer other Swiss SMEs when it comes to data protection?
Companies should not underestimate the resources required to meet the requirements of EU data protection law. The rules laid out in data protection law are often not entirely clear, and lots of value judgements have to be made. It is therefore important to set up a well-structured project, to issue a clear mandate to project members and to plan sufficient time for internal processes within the organization, so that you’re all singing from the same hymn sheet.
In spite of all this, SMEs should not be afraid to tackle the EU data protection regulation. At Ronal, for example, during the course of the implementation project, we found that a lot had been anticipated and properly done. What was missing, however, were written guidelines and clear process descriptions to guarantee that the statutory provisions are complied with.
It’s well worth carrying out a comparison of the current situation with the data protection provisions, so that gaps can be identified and measures prioritized.
The complexity and scope of the material means it’s worthwhile bringing on board an external expert who is familiar with the requirements of data protection law and can help the company to fill in the gaps by means of a risk-based approach.