6 Dec 2021
Woman using facial recognition technology

What changes with the revision of the Swiss Federal Act on Data Protection?

Marc Minar
By Marc Minar

Director, Cybersecurity in Financial Services | EY Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.

6 Dec 2021
Related topics Cybersecurity Financial Services Consulting Technology Risk
Upvote

Show resources

The revision of the Swiss Federal Act on Data Protection comes into force in early 2022, affecting almost every company in Switzerland in various ways.

In brief
  • The Swiss Federal Act on Data Protection (FADP) has been revised to adopt a large variety of requirements from the General Data Protection Regulation (GDPR).
  • The new law comes into effect in early 2022 requiring numerous adjustments in technical and organizational measures.
  • Companies should now ensure appropriate technical and non-technical controls are in place to avoid non-compliance or even fines.

Data protection and data privacy continue to be very important, especially when sensitive personal data are being processed. The Swiss Federal Act on Data Protection (FADP) has been revised to adopt a large variety of requirements from the General Data Protection Regulation (GDPR). It is expected to come into force in 2022, with some sources even suggesting summer 2022.

The main goal of this revision is to raise Swiss data protection law to the level of the EU and therefore numerous adjustments are required. However, it will continue to adhere to its own basic concepts and even deviate from GDPR in various points. Examples of important innovations of the revised FADP are the much stronger sanctions, expanded information obligations and the obligation to create a data processing directory.

Since the revised FADP is very broad, it will affect almost every company in Switzerland. Therefore, it is recommended that you already deal now with the requirements of this revised law. This is particularly due to the fact that the FADP will not foresee any transition periods.

Key changes in the revised FADP

Below we would like to summarize the key changes coming from the revised FADP. Please note that this list is not exhaustive.

  • Stricter sanctions and expansion of the powers of the Federal Data Protection and Information Commissioner (FDPIC)

    In contrast to the existing FADP, the revised FADP provides for clear sanctions. Wilful acts and omissions are punishable, but not negligence. Anyone who violates the information obligations, the duty to provide information or the duty to cooperate can be charged with a fine of up to CHF 250’000. A breach of duty of care can also be punished with a fine of up to CHF 250’000 if requested. In addition, anyone who violates professional confidentiality or disregards an order can also be fined by the same amount.

  • Reporting data breaches

    Data controllers must report to the FDPIC “as soon as possible” if a breach of data security occurs that is likely to lead to a high risk for the data subject or for its fundamental rights. Such an obligation also exists under GDPR where a report must be made within 72 hours, if there is a risk for the person or data subject concerned. It is likely that the time window of 72h will also be used as a guiding value for the revised FADP.

    To address these requirements from an IT point of view, it is key to having a process in place to report to the FDPIC in due time. Companies also must be able to calculate the risk of affected persons or data subjects in case of a data breach. Moreover, the process should clarify who exactly from the authorities needs to be contacted and what information needs to be submitted.

    Also, since many companies face issues in determining a data breach in the first place, it is likely that such an incident might go unnoticed. To address this, the right monitoring tools must be in place to detect breaches (e.g., via using a SIEM - Security Information and Event Management, a DLP – Data Leakage Prevention Systems or an IDS/IPS – Intrusion Detection / Prevention systems).

  • Extension of information requirements

    In the revised FADP, the information obligations are expanded. In the old FADP, there was already an obligation to provide information. However, this only applied to the procurement of particularly sensitive personal data or personality profiles. With the new data protection act, the person responsible for the data must inform each time personal data is obtained, provided none of the exceptions according to Art. 20 of the revised FADP exist. According to the revised FADP, the data subject must be provided with the following minimum information when obtaining personal data:

    - Identity and contact details of the person responsible

    - Purpose of the processing

    - If applicable, recipients or categories of recipients to whom personal data may be disclosed and recipients to which personal data are disclosed

    From an IT perspective it also makes sense to define a process for the transmission of personal data in a suitable electronic format. This process should cover the right of data subjects in case of a data breach, the right of data transmission, the right to be forgotten, the right to restrict data processing and more. Especially data processing applications have to support this process, which can be a challenge in case of unstructured data (e.g., when using files on file shares, analog files i.e., paper, audio, pictures, scans stored on SharePoints etc.).

  • Privacy by Design and Privacy by Default

    Anyone who is responsible for data and data processing must comply with stricter due diligence obligations, which are more precisely defined. As early as the project planning stage, data processing must be technically and organizationally designed in such a way that data protection regulations are adhered to. This "privacy by design principle" is already part of the GDPR and is now incorporated into the revised FADP. In addition, those responsible are required to use suitable default settings to ensure that only personal data required for the respective purpose are processed by default and that processing is limited to the necessary minimum ("privacy by default").

    To technically address these challenges, privacy by design can for example be achieved with pseudonymization, i.e., when personal data are replaced with artificial identifiers or by using encryption, to ensure only authorized persons can read data.

  • Order processor

    A contract processing relationship (e.g., when outsourcing to the cloud) can be established by contract or by law. The processor must process the data in the same way as the data controller would be permitted to do. Likewise, the controller must ensure that the processor is able to provide the required level of data security. In this respect, the existing legal situation does not change. However, the revised FADP now stipulates that the processor may only involve a third party with the prior consent of the controller (sub-processor; this corresponds to the regulations of the GDPR). Hence, it is key that companies have defined whose personal data is processed and for what purposes. Also, it must be clear which service providers are order processors and whether the respective contracts are in place.

  • Data Protection Impact Assessment (DPIA)

    Data controllers or data processors must carry out a DPIA in advance if a planned data processing operation may entail a high risk to the person or fundamental rights of the data subject.

    From an IT perspective it makes sense to define a process to support evaluating if a DPIA needs to be conducted. In the DPIA itself the scope, context and purpose need to be defined. It is useful to have an adequate template for the DPIA to properly evaluate the necessity, proportionality and compliance when conducting the assessment.

  • List of processing activities

    Responsible persons and order processors each have to keep a directory of their data processing activities. A similar obligation already exists in the GDPR. However, the Federal Council provides for exceptions for companies that employ less than 250 people and whose data processing entails a low risk of personal injury.

    From an IT perspective, it makes sense to define a process for the development and continuous update of such a directory. Such a process ideally should mention how data are processed (manually/automatic), for what reason, what type of data are being processed (personal data, highly sensitive personal data), where the processing takes place (i.e., which jurisdiction) and to whom the data are disclosed to.

Comparison between the current and the revised FADP

In the table below you can see a summary of the changes in the revised FADP compared to the current version (not exhaustive).

General technical and organizational measures

In addition to some of the specific measures outlined above, it remains true that to holistically address the new requirements of the revised FADP, effective information security measures on technical and organizational level are required. It is also no coincidence that the GDPR explicitly requires the implementation of suitable technical and organizational measures in its article 32.

Technical measures are directly related to an information system. They typically include, for example, aspects of physical security (access controls) and hardware (network security), aspects of workplace security (lock screen, anti-virus programs) or access security (access management, role model).

Organizational measures relate to the system environment, i.e., in particular the people who use it and the requirements that are aimed at these people: key measures to raise employee awareness and internal guidelines. These are of great importance because humans are still the number one security risk and their wrongdoing triggers around 80% of data protection incidents.

In general, it can be said that in addition to the specific measures proposed above, adequate technical and organizational measures must be defined to ensure adequate data security. Regular risk assessments, the definition of risk appetite and tolerance as well as the definition of measures and the respective tracking are key. The encryption of confidential data fields, the right application of the need-to-know-principle via using proper identity and access management controls, security monitoring of critical events and more help in reducing the risk of being incompliant with the revised FADP. Also, having strict contracts in place ensuring proper management of third parties handling personal data are an absolute must.

How EY can help

Data protection and privacy

EY data protection and privacy services help organizations stay up-to-date with leading services in data security and data privacy, as well as complying with regulation in a constantly evolving threat environment and regulatory landscape.

Read more

Summary

The revision of the Swiss Federal Act on Data Protection comes into force in early 2022, affecting almost every company in Switzerland in various ways.

The new requirements stemming from the revised FADP do not come as a surprise, nevertheless it is key that necessary adjustments and upgrades in security controls are implemented before the new law comes into effect to effectively avoid non-compliance or even fines. 

About this article

Marc Minar
By Marc Minar

Director, Cybersecurity in Financial Services | EY Switzerland

Member of the Swiss Cybersecurity Leadership Team in EY's EMEIA Financial Services Consulting practice. Licensed pilot and passionate golf player.

Related topics Cybersecurity Financial Services Consulting Technology Risk
Upvote