On 1 September, without any transition period, a new Swiss Federal Act on Data Protection (FADP-nLPD) will come into force. Are you ready? Is your business ready? How exactly will it affect you?
On 1 September, without any transition period, a new Swiss Federal Act on Data Protection (FADP-nLPD) will come into force. Are you ready? Is your business ready? How exactly will it affect you?
Here, we take a closer look at what exactly FADP-nLPD (sometimes also referred to as ‘the new FADP’ and ‘nFADP’) will mean for you, your data and your business.
Swiss data protection then and now
The data protection laws we currently have in place date back to 1992, when the world was a very different, far less technologically-advanced (and arguably much safer) place.
By contrast, FADP-nLPD will bring Switzerland closer in line with the European Union’s General Data Protection Regulation (GDPR) laws – the idea being that Swiss citizens’ personal data will be significantly safer in today’s increasingly digital world.
It is worth noting here that if a company is GDPR compliant, it will have very little to change to be in line with nLPD.But there are a few differences.
The nLPD 101
“In simple terms, FADP-nLPD means businesses will have to handle personal data differently.
Essentially, it means both controllers and processors are obliged to ensure an “adequate” level of data security. Which means they must protect the integrity, confidentiality, and availability of personal data by means of “adequate” technical and organizational security measures.”
– Jonathan Da Dalto – Manager, Compliance and Delivery at Penta
All the following will apply:
Businesses will inform people they’re using their data, and tell them why
The data cannot then be used for any other purpose, beyond what’s been stated
The collection of personal information will be limited to what is directly relevant and necessary for that specific purpose
The data will be deleted as soon as it’s no longer needed
Personal data will only used at people’s discretion, and they have the right to refuse
Data will only be used in a way that the company would be happy for their own data to be used
Data will be checked for mistakes or gaps
Sensitive data cannot be passed on to third parties
Data security measures will be in place
Data will only be obtained from legal sources
What is personal data?
nLPD identifies personal data as “all information relating to an identified or identifiable natural person”.
So, examples of this might include an email, address, telephone number, order history, medical data …or anything that allows a person to be identified.
Which means all customer- and human resources-files fall under the scope of the law. Although it’s worth noting that data on ‘legal persons’ (as in any person or ‘thing’, such as a company, that can do the things a human person is usually able to do in law – such as enter into contracts, sue and be sued, or own property) is not affected.
When does nLPD apply?
From the moment there is a plan to process any personal data, which is generally long before any data is actually obtained.
If there might be any risk to the person (their rights or them personally) whose data is to be used, an impact analysis must be carried out first.
If a company falls victim to a cyberattack or security breach, it must promptly report it to all potentially affected users and stakeholders, as well as the FDPIC.
What happens if you break the nLPD law?
You (as a person) can be fined up to CHF 250,000. A company can also be fined up to CHF 50,000 if finding the specific person responsible is deemed to involve a disproportionate effort.
While this is a significantly lighter fine than those faced by anyone found to be in contravention of GDPR (which can be up to €20,000,000 or 4% of global turnover), the real danger is reputational damage.
How does nLPD apply to SMEs?
All the nLPD rules apply in exactly the same way for SMEs (small and medium-sized enterprises), bar one: the mandatory data processing register.
Under the nLPD rules, all companies have to keep a record of their data processing activities, except SMEs that only engage in low-risk data processing. This is because their data processing poses a limited risk of harm to the data subject.
How to become nLPD compliant
The first steps towards nLPD compliance are to prioritize data protection and perform a data protection gap analysis.
This will allow you to:
Analyze the current situation
Identify any potential weaknesses and risks
Define a roadmap for implementing new measures and mitigating risks
Beyond that, you should:
Keep records of all processing activities (form a data processing register).
Define internal practices and procedures for storing, using, transferring, and destroying data, in compliance with nLPD.
Define processes for Subject Access Requests, handling of data breaches and Data Protection Impact Assessments.
Educate all employees on nLPD and all privacy-related issues.
Appointing a Data Protection Officer (DPO) might also be a wise consideration. A DPO’s role is to monitor compliance with data protection laws, and provide advice and guidance on data protection.
How to find out more about nLPD
If you have any questions about the new laws, or would like more information about remaining nLPD compliant,get in touch.
Jonathan Da Dalto
Manager, Compliance and Delivery at Penta
Jonathan has a long history of delivering successful projects with Penta. His expertise lies in his in-depth knowledge, technical understanding and the ability to communicate complex requirements to both technical and non-technical project stakeholders. Jonathan oversees our most high profile and complex deliveries and makes sure deployments are carried out on time and on budget.
