Data Protection: GDPR and DPA

Context

May 25th, 2018, is the date when the EU General Data Protection Regulation (GDPR) goes into effect, and most likely by the end of 2018 or the beginning of 2019 the new Swiss Data Protection Act (DPA) will also be adopted into Swiss law. The Swiss DPA is a direct result of the EU GDPR, therefore, it is necessary to understand the one and then the other.

EU GDPR will affect all data of EU citizens. It concerns data which is stored in Switzerland or is used or processed by Swiss companies. Consequently, any Swiss company with data or in contact with EU citizens must abide by EU GDPR.

Furthermore, a pre-condition for allowing exchanges between Switzerland and the EU is for the Swiss data protection law to meet certain criteria to be accepted by the EU as compatible with the EU GDPR. This proof of compatibility is the key reason for Switzerland to adopt as soon as possible a new DPA.

Without going into the details of what is allowed or not, or whether the EU GDPR norms are good or bad for citizens and companies, the fundamental consequence is that Swiss companies need to look in detail at all aspects of their data protection procedures, starting with business processes, customer interactions, and data management.

Key insights 

  • EU GDPR will affect not only EU-based organizations, but many data controllers and data processors outside the EU as well, in particular Switzerland.
  • The new Swiss Data Protection Act (DPA), expected year-end 2018 or at the beginning of 2019, will force every Swiss company to comply with new data protection norms.
  • Getting data processing activities in line with requirements will prove to be time-consuming and expensive, depending on an organization's current maturity level.
  • Compliance with EU and Swiss data protection norms will prove to be a strong unique selling point (USP) for enterprises and (IT) service providers in the eyes of business and trading partners, customers, and consumers.
  • Penalties up to 4% of annual global turnover or €20 Million (whichever is higher) can be given to organizations not complying to GDPR.

Next steps 

Companies need to ensure that their plans for GDPR-compliance with the upcoming changes in EU and Swiss legislation is on track. This means making sure that they have:

  • Transparency into processes / data / IT
  • Extensive documentation of processes and processing activities across the entire business
  • Information provision for EU subjects according to the EU GDPR
  • Evidence for GDPR compliancy (for both the EU and the Swiss law)
  • GDPR impact assessment on all business and IT projects

How OpenWT can help you

At Open Web Technology, we offer our clients engaging and personalized consulting and development services.  With our GDPR framework we can assist you with your first line of defence for GDPR compliance and start your business and IT transformation strategy, planning, and execution.