Data Protection in Switzerland

Demian StauberPartner, Rentsch Partner Ltd.

This article was taken from the recent IR Global – Meet the Members publication 

Up until a few months ago, most Swiss companies did not pay particular attention to the stringent implementation of data protection measures. This was due to the fact that customer complaints and enforcement actions by authorities were rare.

Recently, however, perception has started to change. This is because many Swiss companies will be affected by the European Data Protection Regulation (GDPR), and the Swiss Parliament’s current revision of the Swiss Data Protection Act (DPA).
• Although the GDPR is a European Union regulation, it also applies to certain companies domiciled outside the European Union. In particular, it applies to Swiss-based companies offering goods or services to, or monitoring the behaviour of, EU residents (so-called data subjects).
• The Swiss DPA is currently under revision. The draft presented to the Swiss Parliament contains many rules resembling the GDPR, which, in fact, served as a source of inspiration for the preparation of the draft. While there will most likely be elements with a ‘Swiss finish’, generally one may expect that compliance with GDPR rules will be an excellent starting point for complying with the Swiss DPA. Conversely, Swiss companies which do not need to be GDPR-compliant because they are outside the scope of its application (see above), cannot sit back and relax, but need to prepare for the new Swiss DPA rules.

Under both the GDPR and the DPA, failure to comply with the rules may lead to significant penalties. Also, current developments, such as the alleged abuse of personal data for interfering in political processes, have awakened the public interest in Switzerland for data privacy and data protection.

DATA PROTECTION POLICY IS A TOP-LEVEL ISSUE

Despite this, many Swiss companies perceive the new data protection legislation as a nuisance. Accordingly, they delegate the implementation of the new rules to either the IT department or some other support unit (such as the legal team, HR or accounting) with little guidance on the companies’ overall policies and approach to data privacy and data protection.

In my view, this is the wrong approach for the following three reasons, which I will discuss in more detail below:
•A company’s overall approach to data privacy and data protection is a strategic question with potentially far-reaching consequences.
•Without backing by top-level management, proper implementation of the legal requirements is impossible.
•The measures required for implementation are not just a burden, they may also present opportunities to enhance business.

STRATEGIC APPROACH TO DATA PROTECTION
Firstly, a company needs to determine which overall approach is adequate and feasible in its particular business and in light of the general strategic positioning of the company. For this assessment, consider whether the company’s reputation (e.g. ‘best-in-class’, ‘trustworthy’, ‘innovative’ etc.) may impact on how the company treats data. This applies both to personal data, which is the subject of the data protection laws, and also other data, which may well be a valuable and vulnerable asset. For instance, if a company relies on the trust of its customers, then perfect transparency and higher security standards than mandated by the law may be appropriate. If a company holds itself out as innovative, then inventive concepts around ensuring data privacy and protection may be the way to go. If implementation of GDPR and DPA compliance are delegated to some support units, they will usually simply seek to implement the minimum required standards to comply with the law, without considering such strategic aspects.

BACKING BY TOP-LEVEL MANAGEMENT
The GDPR and the DPA contain numerous provisions requiring cumbersome and time-consuming analysis and implementation measures. To make things worse, most departments of a company usually need to be involved to achieve proper documentation and process management. Accordingly, delegating to a single business unit without empowering it to seek substantial and timely assistance from other parts of the business will lead to failure.

OPPORTUNITIES
Compliance with current data protection legislation requires thorough understanding of a company’s business processes and meticulous documentation of data obtained, data flows, access, storage, and security measures etc. An open-minded approach in the analysis of these elements provides, in turn, a great opportunity to reconsider and improve such processes and mechanisms and to ultimately achieve progress.