On September 1st, the time has come: the new Swiss Data Protection Act comes into effect. A challenge, especially for startups, smaller and medium-sized owner-operated companies in Switzerland. Unlike larger international firms, they often lack the resources to build an in-house data protection expert or to afford expensive consultancy. However, the effort doesn't have to skyrocket, according to Manuel Stahl, Co-Founder of SECJUR, the platform for data protection compliance. We met him at his new office in Berne and asked him to share his experiences with us.
Manuel, SECJUR has already established itself in the stronghold of data protection, Germany, and supported hundreds of German customers in Europe. Now you're also present in Switzerland. What's special about the new Swiss data protection?
Manuel: With the new Swiss Data Protection Act, citizens gain more rights when it comes to accessing, deleting, and transferring their personal data. The Swiss Data Protection Act is closely aligned with the European Data Protection Act. However, there are also differences and further developments. For example, genetic and biometric data are now included in the definition of particularly protected data in Switzerland.
"Management should consider data protection holistically. There are three levels that every organization must deal with: Legal, technical and organizational."
What does this mean for companies in Switzerland now?
Manuel: From September 1, 2023 All companies in Switzerland must be able to respond to requests from individuals regarding the use of their personal data, if necessary, delete such data upon request. They must also inform when collecting personal data or if data protection is violated. In some cases, a so-called impact assessment or the establishment of a register for processing activities involving personal data is necessary.
That sounds complex. Do you have any recommendations?
Manuel: The effort regarding data protection and security depends on the amount of personal data collected by a company, for instance, from customers, suppliers, or employees. The starting point is an overview of how and for what purposes personal or sensitive data is used within the company. At SECJUR, this is part of the free audit we offer.
So, what should be considered for successful data protection compliance implementation?
Manuel: Management should consider data protection holistically. There are three levels that every organization must deal with: Legal, technical and organizational. Everything needs to work together: legal data protection requirements (Level 1 in the form of policies and guidelines) must be integrated into workflows and tools (Level 2 Processes/Tools), employees must be trained (Level 3 Organization), and everything must be documented for authorities.
So, it's not sufficient for companies to just seek legal advice and create a data protection policy?
Manuel: That's not enough. To correctly implement this policy in the company's processes, tools, and databases, a precise understanding of the company's information technology is necessary, along with experts who know how to adjust tools and workflows. After all, privacy and data security is only as good as how well all employees in the company are trained. Policies must be understood. Otherwise, even the best data protection management system is ineffective.
"With the Digital Compliance Office solution, startups, smaller and medium-sized businesses can have compliance under control and focus on their core business."
That sounds demanding. How can you help startups cover all these aspects?
Manuel: At SECJUR, we have developed an exciting solution for smaller and medium-sized companies, especially startups, with our automation platform - the Digital Compliance Office. The platform consolidates all compliance areas under one roof. It's intuitive and easy to use, even without extensive prior experience. Additionally, all our clients have a dedicated contact person to support them. This makes implementing legal requirements a breeze, and standards like DPA, GDPR, or ISO 27001 can be quickly and easily met. This way, startups and smaller businesses can have compliance under control and focus on their core business.
Speaking of focusing on business. Depending on interpretation, guidelines can be implemented more or less strictly. What's your recommendation?
Manuel: Healthy pragmatism. The protection of personal data naturally takes absolute priority. After all, you want to maintain the trust of employees, customers, and suppliers. Moreover, in Switzerland, in addition to CEOs and board members, employees can also be criminally prosecuted and fined for violation. As you mentioned, an exaggerated interpretation of guidelines can also be damaging to business. Companies have often completely stopped personalised marketing activities due to lack of knowledge and fear of mistakes. As always, finding the right balance is key. Risk assessment and following best practices help in this regard.
"Exaggerated interpretation of guidelines can also be damaging to business. Risk assessment and following best practices help in this regard."
What do you mean by risk assessment?
Manuel: Thanks to our compliance platform, our clients benefit from countless solved issues from different industries that make our software smarter and smarter. In this way, we can quickly provide management with precise data on the degree of implementation of data protection and the associated risk as a basis for good business decisions.
On September 1, 2023, the new Swiss Data Protection Act comes into effect. What else can we expect to come?
Manuel: The trend is clear: companies must comply with more and more requirements and standards to remain in business. Data protection is just one aspect. Equally important are topics such as information security, anti-money laundering, and whistleblowing. For example, next year, the new Cybersecurity Directive NIS2 will come into effect in the EU. With the use of AI, there will be more requirements soon. Therefore, it's worthwhile to look at compliance as an overarching topic. At SECJUR, we offer our customers a worry-free package, so they don't have to work with various specialists for each individual issue.
"It's worthwhile to look at compliance as an overarching topic. Data protection is just one aspect."
Last question. What do you recommend if a data breach occurs?
Manuel: Preparation and overview are essential. The better you've prepared your company for the new data protection regulations, the lower the probability of a data leak. If something does happen, every company should have an emergency plan in place. This plan includes clear steps and responsibilities for isolating the affected system, preserving evidence, notifying relevant parties, and cooperating with authorities. A well-coordinated response minimizes damage and allows the company to maintain the trust of its customers.Thank you, Manuel, for these insightful perspectives!