On 1 September, without any transition period, a new Swiss Federal Act on Data Protection (FADP-nLPD) will come into force. Are you ready? Is your business ready? How exactly will it affect you?
Here, we take a closer look at what exactly FADP-nLPD (sometimes also referred to as ‘the new FADP’ and ‘nFADP’) will mean for you, your data and your business.
The data protection laws we currently have in place date back to 1992, when the world was a very different, far less technologically-advanced (and arguably much safer) place.
By contrast, FADP-nLPD will bring Switzerland closer in line with the European Union’s General Data Protection Regulation (GDPR) laws – the idea being that Swiss citizens’ personal data will be significantly safer in today’s increasingly digital world.
It is worth noting here that if a company is GDPR compliant, it will have very little to change to be in line with nLPD. But there are a few differences.
Essentially, it means both controllers and processors are obliged to ensure an “adequate” level of data security. Which means they must protect the integrity, confidentiality, and availability of personal data by means of “adequate” technical and organizational security measures.”
– Jonathan Da Dalto – Manager, Compliance and Delivery at Penta
All the following will apply:
nLPD identifies personal data as “all information relating to an identified or identifiable natural person”.
So, examples of this might include an email, address, telephone number, order history, medical data …or anything that allows a person to be identified.
Which means all customer- and human resources-files fall under the scope of the law. Although it’s worth noting that data on ‘legal persons’ (as in any person or ‘thing’, such as a company, that can do the things a human person is usually able to do in law – such as enter into contracts, sue and be sued, or own property) is not affected.
From the moment there is a plan to process any personal data, which is generally long before any data is actually obtained.
If there might be any risk to the person (their rights or them personally) whose data is to be used, an impact analysis must be carried out first.
If a company falls victim to a cyberattack or security breach, it must promptly report it to all potentially affected users and stakeholders, as well as the FDPIC.
You (as a person) can be fined up to CHF 250,000. A company can also be fined up to CHF 50,000 if finding the specific person responsible is deemed to involve a disproportionate effort.
While this is a significantly lighter fine than those faced by anyone found to be in contravention of GDPR (which can be up to €20,000,000 or 4% of global turnover), the real danger is reputational damage.
All the nLPD rules apply in exactly the same way for SMEs (small and medium-sized enterprises), bar one: the mandatory data processing register.
Under the nLPD rules, all companies have to keep a record of their data processing activities, except SMEs that only engage in low-risk data processing. This is because their data processing poses a limited risk of harm to the data subject.
The first steps towards nLPD compliance are to prioritize data protection and perform a data protection gap analysis.
This will allow you to:
Beyond that, you should:
Appointing a Data Protection Officer (DPO) might also be a wise consideration. A DPO’s role is to monitor compliance with data protection laws, and provide advice and guidance on data protection.
If you have any questions about the new laws, or would like more information about remaining nLPD compliant, get in touch.