The EU’s new General Data Protection Regulation (GDPR) comes into force on May 25, 2018 and shall apply in all 27 member states. It brings with it additional information and documentation obligations for companies. This involves costs. No specific estimates are available for the adjustment of Swiss business to the new law. In Germany, the Federal Statistical Office expects costs of 1.5 million euros. In view of the huge significance, companies should already be thinking about an examination of their data protection governance today, with a view to the fact that Switzerland’s legislation will follow suit. The revised Swiss data protection law is expected to come into force in the summer of 2018.
Which companies are affected
The new GDPR applies to Swiss companies even if they do not have a branch in the EU. Offers that are aimed at EU citizens or applications that process data from EU citizens – which includes apps on a smartphone, for instance – are sufficient for the company to fall within EU law. It is thus irrelevant whether the data processing is performed in the EU or outsourced to Switzerland. If the IT center for a company in Switzerland also processes data for a subsidiary or branch in the EU, the processing of this data falls under EU law.
Important changes
Generally speaking, the GDPR massively expands the rights of those affected and the companies’ obligations to inform. This refers to all information that can be used to identify a person – no distinction is made between data from a person’s professional or personal life. Companies must now maintain records of their data processing activities.
One of the most important regulations of the new law is the right to be forgotten. This means that every person can request that their personal data be deleted. The requirements regarding consent for data use have also been increased: Companies must clearly and understandably advise that the data will be processed and used. Anybody who consents to the use of this data can revoke this decision. Only companies that record sensitive data such as health data and genetic or biometric data must create the role of a data protection officer.
Swiss companies that do not adhere to the new regulations will also have to anticipate penalties. These can amount to up to four percent of the annual sales recorded worldwide in the past fiscal year. The preliminary draft of the revised Swiss data protection law also stipulates a maximum penalty of 500,000 francs.
Immediate measures
One of the most important measures to effectively protect customer data and to avoid data leaks, and thus fines or damage to reputation, is to gain an overview of the personal data.
- Take stock of the collected personal data. Which information has been stored? Where is this?
- Clarify the question: Do we need to employ a data protection officer? This position can be filled by an internal or external person.
- Strict administration of access rights to personal data.
- Professional and effective protection of web access.
The issue of the cloud must not be ignored in connection with internal data processing and safeguarding of personal data. The fact is that data in a cloud is often more professionally safeguarded than that on any hard drive or server within a company.
It is a fact that data protection is the basis for consumers’ and business partners’ trust and is therefore also a prerequisite for successful digital transformation. By adhering to the GDPR, Swiss companies ensure their business existence in a networked Europe.
For further questions, please contact: swisssmb@microsoft.com
