Why SMEs should get to grips with the new data protection law sooner rather than later
On September 1, 2023, the revised Data Protection Act will come into force. In the future, violations of key issues will be subject to penalties of up to CHF 250,000. These fines will be against individual decision-makers in the company, not against the company itself. Lukas Bühlmann, Co-Head Digital, Data Privacy & E-Commerce at MLL Legal, advises companies to address their processes and security measures early on and to integrate appropriate activities into their existing security concepts. To this end, a bug bounty program and pentesting can be helpful.
Data has grown enormously in importance, providing companies with valuable insights about their customers for marketing and product development. At the same time, cyber incidents and data breaches are becoming more frequent, leading to substantial risk for both companies and affected individuals. The revised Federal Act on Data Protection (FADP) will come into effect on September 1, 2023 and aims to adapt data protection and data security to current technological realities. In addition to the expansion of content-related and formal regulations, the massively tightened sanction system for violations is one of the most important innovations. These sanctions are not directed against the companies responsible for data processing, but against the responsible managers and employees. Under the new law, these individuals will be threatened with fines of up to CHF 250,000 for certain violations. Dealing with this situation is particularly challenging for SMEs.
Lukas, why do we need a new Federal Act on Data Protection (FADP)?
As we all know, technological development has progressed rapidly in recent years. Correspondingly, the way we handle data has changed fundamentally. At the same time, the processing of data has grown enormously in importance, both socially and economically. It is therefore important for companies to have legal certainty: When and in what form can they legally use data, especially personal data? On the other hand, due to the growing interest in data, there is also an ever-increasing risk that personal data will be misused. There is therefore also a great need to protect the affected individuals from misuse.
The current data protection law originated many years ago against a completely different technological and social backdrop. Consequently, the current law can no longer address the central questions that arise from the perspective of companies and individuals today. That is why it is in fact undisputed: Data protection law must be adapted to modern circumstances.
When will the new law come into force?
The revision has been approved by parliament. The Federal Council has now decided that the new Federal Act on Data Protection (FADP) will come into force on September 1, 2023. It is important to note that there is no transition period. This means that now is the time to familiarize oneself with the new regulations and to prepare oneself and one’s company for when they come into effect.
Until now, Swiss data protection law has been toothless. That is now changing.
What are the most important changes?
The core concept of the data protection law remains unchanged. When processing data, it must be clear to the affected individuals at all times what will be done with their data, what purposes the processing serves and who will have access to their data. These basic rules still apply.
What has changed, however, is that requirements pertaining to certain processing activities (for example, profiling) are described in more detail and companies have to fulfill many more formal obligations regarding processes, documentation and data protection rights.
At the same time, the law provides more detailed and precise information about the rights of affected persons, and what the guardrails are when they need to be invoked. For example, the right to information or deletion.
However, what seems to be most threatening for most companies is the significantly greater focus on enforcement of the new regulations. Until now, data protection law in Switzerland has been largely toothless. That is now changing. Under the new law, there are punitive sanctions for violations of key individual requirements, such as the duty to provide information or data security requirements. These sanctions are not directed against the company, but against the employees who are responsible as decision-makers for the respective data processing. This is a paradigm shift.
Approaches like a bug bounty program based on the creative power and swarm intelligence of friendly hackers are very interesting and hold promise for the future.
What role does IT security play in this?
As a decision-maker, I must ensure that data within my sphere of influence is secure; IT security measures must always reflect the latest state of the art. Ensuring this compliance is a major challenge, not only for SMEs. In this context, approaches such as bug bounty programs and pentesting can be attractive tools.
If, for example, data in my company is hacked and encrypted and it turns out that the data was not protected or was located on a data storage device that is easily accessible by everyone in the company, this would probably not be state of the art, neither from an organizational, nor from a technical viewpoint. In this case, such an incident, which is already unpleasant due to its immediate impacts, could also result in sanction proceedings for violation of data security requirements. Criminal proceedings against an IT manager would then not seem out of the question.
Dealing with security risks is becoming increasingly difficult. You must be proactive about prevention, asking: Are my systems secure? To this end, additional approaches such as a bug bounty program based on the creative power and swarm intelligence of friendly hackers are very interesting and hold promise for the future.
What is the situation like for Swiss SMEs?
Since the announcement of the enactment of the revised FADP, awareness of the issues has increased significantly and the will to comply is there. However, implementing the new rules and adapting company processes accordingly is an extremely difficult and technically complex challenge. The necessary investments of time and money do not generate any revenue and must run alongside daily business. Consulting on this topic must be of a correspondingly pragmatic nature.
Generally, a good approach is to work step by step towards the goal of becoming compliant with the new rules. Becoming 100% compliant through a one-off project is not a realistic goal. You must tackle individual steps based on a realistic and company-specific prioritization. The most important thing is to recognize the need. This has taken place. But there is certainly a lot to do in Switzerland.
Can companies insure themselves against these risks?
You cannot insure yourself against punitive sanctions. Of course, this is not only the case in data protection law. Moreover, a company is not allowed to take on a punitive sanction, such as a fine against an employee. When it comes to cyber incidents, there are, of course, insurance policies. But these become very expensive very quickly because cyber risks are increasing rapidly, and the consequences are becoming more and more difficult to insure against. Insurance products have conditions, exclusions and caveats. In addition, they often require assurances regarding the existing infrastructure and level of security which are not realistic in the SME environment. It is not advisable to take out such insurance policies without checking to what extent the requirements for the existing IT environment are met. At the end of the day, you may end up paying for an expensive insurance policy, which ultimately provides you with no coverage in the event of a loss.
What advice would you give to Swiss SMEs to ensure that they are optimally prepared for the challenges of cybersecurity and the new FADP?
It is important to get to grips with the subject. You might want to organize a workshop within the company so that the central employees are also up to speed. This will make it easier to deal with this difficult topic and you can then ask yourself in a structured way: Where are we compliant? Where are we not? What are our priorities? And then close the existing gaps step by step. It is critical that top-level management stands behind data protection as an issue and conveys its importance throughout the organization.
This all sounds very tedious and time-consuming. And it is. But you must remember, the importance of data has increased immensely. Data has great economic potential, generates added value, and enables the launch of new products. You earn money with it. Companies must make sure that they collect and handle data sustainably. This also includes the issue of compliance. Only then can the expected added value be achieved in the medium and long term.