The current Swiss Data Protection Act (DPA) is twenty-five years old and a brand new law is being prepared by our federal authorities. It is not expected to enter into force before 2019. However the European General Data Protection Regulation (GDPR) will apply from 25 May 2018 and bring a few important changes to the current data protection regulation in Europe. This is why the question of the implementation of the GDPR in Switzerland must be addressed.
The new regulation is valid across all EU countries and directly applicable. Organisations and individuals can be fined if they do not adhere to the law: where minor breaches can be fined up to €10 Million or 2% of the annual worldwide turnover (choose the greatest), major breaches will be fined up to €20 Million or 4% of the annual worldwide turnover (choose the greatest). The question of a direct enforcement of the administrative measures and sanctions in Switzerland has yet to be answered. Furthermore national authorities will have the power to temporarily or permanently stop data processing.
Even though the new regulation comes from the EU, it does impact organisations in Switzerland. If you answer ‘yes’ to any of the following questions, GDPR does apply to your organisation and the data you hold about European individuals.
- Does your organisation offer services or goods to individuals in the EU?
- Does your organisation process or participate in processing of personal data of EU individuals, for itself or on behalf of another organisation?
- Does your organisation monitor online behaviour of users based in the EU?
- Does your organisation analyse the activities of EU users when they are using your organisation’s app or browsing its website?
Under the GDPR, you must not only comply with the six core principles below, but also demonstrate your compliance by providing the appropriate documentation, especially if you rely on individuals consent.
- Process data lawfully, fairly and in a transparent manner
- Collect data for a legitimate, specified and explicit purpose
- Process data only if it is relevant, adequate and necessary to the purpose (data minimisation)
- Process accurate data and, if necessary, update it
- Retain data only for as long as necessary
- Ensure the security, integrity and confidentiality of data
Steps to take (now)
This guide does not attempt exhaustivity but aims at summarising key elements that the author thinks Swiss organisations need to consider for the implementation of the GDPR in Switzerland.
1. Document what personal data you hold
Before taking any other action, you should document what personal data you hold, its origin, how you process it and for which purpose. You should also be able to determine who you are sharing it with. As a reminder, the GDPR requires you to keep records of your processing activities.
2. Appoint a representative (or Data Protection Officer)
Before step one, or right after, you should designate (or hire) someone who will be responsible for data protection compliance. The GDPR does not require you to appoint a representative if the processing is occasional, does not involve large-scale processing of sensitive data, or is unlikely to be a risk to individuals. In doubt, at least consider hiring a consultant.
3. Review your current privacy notices
You should review all the privacy notices and make the appropriate changes before the GDPR enters into force. Among other information, you will need to give people your identity, explain how you collect and process personal data, the basis for processing the data, the retention period, the right to access the data and the right to complain to a national authority. The information must be provided in a clear and easy to understand language. Your contracts with providers and third parties will need to be reviewed and amended accordingly.
4. Identify the lawful basis for the processing activities
For each processing activity, you must identify its lawful basis (consent, law, etc.). The GDPR requires data controllers to document it (principle of accountability). This step is very important as individuals are given specific rights and the extent of their rights depends on the lawful basis for processing their personal data. Furthermore, the basis must be explained in your response to an access request and in the privacy notice (see above).
5. Review how you seek consent
The conditions for consent have been strengthened. Consent must be freely given, specific, informed and unambiguous. It can be withdrawn whensoever. You cannot infer consent from silence or inactivity any more.
Here is a small checklist of the practices you should review.
- Determine whether consent is appropriate for the considered processing
- Do not use long illegible terms and conditions full of legalese
- Request consent separately from other terms and conditions
- Name your organisation and third parties
- Make sure people opt in (opt out is forbidden)
- Avoid consent by default or pre-ticked boxes
- Verify the individuals age and seek parental consent if necessary
- Provide granular options to consent to nonessential processing
- Keep records of when and how the individual gave their consent
- Regularly review and refresh (parental) consent.
6. Prepare for individuals to exercise their (many) rights
The GDPR gives individuals reinforced rights, as well as new rights. You must cover all the following rights:
- Right of access
- Right to be informed
- Right of erasure
- Right of rectification
- Right to object
- Right to restrict processing
- Right not to be subject to automated decision-making
- Right to data portability.
You must be prepared to react properly. It is therefore advised to set up a process in order to record and act on each individual’s request. The right to portability only applies when processing is carried out by automated means, to data provided to a controller by an individual, and to the processing based on the individuals consent or for the performance of a contract.
7. Verify individuals ages
The GDPR protects children personal data, especially regarding internet services (social networks, messaging apps, etc.). If you rely on consent to collect data and if you offer ‘information society services’ to children (i.e. services requested and delivered on the internet), parental consent will be mandatory, unless the minor is 16 or older. You should then consider age-verification measures. Remember also that the children must understand your privacy notice regarding consent.
8. Set up a process in case of data breaches
Few organisations are required to notify the authorities if they suffer data breaches. The GDPR introduces a general duty to report data breaches not only to the authorities but also to the individuals in specific cases. You will have to notify the authorities (presumably the Federal Data Protection Commissioner) if the breach is likely to result in a risk to the rights and freedoms of individuals; if this risk is high, you will have to notify the individuals directly. In order to protect the data, detect a breach, report it accordingly and investigate, you will have to put procedures in place.
9. Adopt Privacy by Design and by Default approach
Decision makers are not necessarily aware that the law is changing and understand data protection. Admittedly, data is an asset but it cannot be processed any old how. Privacy by Design and by Default is a legal requirement now. According to the GDPR, it consists in particular of
- minimising the processing of personal data
- pseudonymising personal data as soon as possible
- transparency with regard to the functions and processing of personal data
- enabling the data subject to monitor the data processing
- enabling the controller to create and improve security features.
In other words, the GDPR requires organisations to include data protection considerations in the core of their business. In order to achieve that, they will have to stay up to date with the latest norms and industry guidance (ISO 27001, 27002 in particular).
10. Carry out Data Protection Impact Assessments
You should carry out Data Protection Impact Assessments (DPIAs) in order to evaluate the origin, nature, particularity and severity of a risk to the rights and freedoms of natural persons. A DPIA is mandatory:
- if you process special categories of data (e.g. sensitive data) on a large scale
- if you wish to deploy a new technology
- if a profiling operation is susceptible to affect people in a significant manner.
More information about DPIAs here (by the Article 29 Data Protection Working Party).