When you click on "Accept all cookies"click, you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.

A framework for implementing the new data protection regulations

The new, harmonized EU General Data Protection Regulation came into force on May 24, 2016 and is applicable from May 24, 2018 without any further transition period. All companies operating in the EU, regardless of their headquarters, are already subject to legislation. Legislative implementation in Switzerland is already in progress. This is a reason for us to take a closer look at the General Data Protection Regulation in a series of articles.

Key elements for implementation at company level

At company level, there are three main measures to be implemented.

  • With very few exceptions, a data protection officer must be appointed. It has the task of informing and advising responsible persons, employees and any contract processors about their data protection obligations. He must monitor compliance with the requirements and the implementation of relevant measures. He also serves as a contact person and coordinator for all inquiries and information flows regarding data protection. The requirements placed on this person are very high, as he should have extensive expertise in the area of data protection. Especially if an internal company solution is preferred, this could prove to be a hurdle without accompanying measures. This is because there are considerable risks of liability and fines if implemented improperly.
  • A systematic risk analysis is also required. Most companies will already have a documented risk analysis, particularly if their processes are ISO 9001 certified. However, in order to meet the special data protection requirements, it is also recommended that the persons for whom data are processed as an independent asset in the risk analysis. This ensures that specific risks that might have little impact on the company itself are also taken into account and adequately assessed. On the other hand, it is useful to document records relating to the various considerations that contribute to a specific assessment of a data protection-relevant risk in order to make this easy to understand in terms of the required controllability. Appropriate measures to reduce risks must then be defined and implemented.
  • There is an obligation to keep a record of processing operations. It must document which data processing exists - exclusively in relation to data relating to natural persons. This is a structured directory that documents the processing, its purpose, the persons and data subjects, the recipients of data and deletion periods. This measure is comparatively easy - although not necessarily with little effort - to implement, as a corresponding template can be prepared and completed.

Processing-specific key elements

Once the company-wide principles have been laid down, we can look at the individual processing operations. Four measures must be taken into account centrally.

  • Carry out a so-called data protection impact assessment before the productive start-up of processing, provided that personal data is processed. In principle, the data protection impact assessment is nothing more than a more detailed risk analysis related to this particular processing. There are various requirements to be considered for these. Similar to company-wide risk analysis, it is advisable to keep records of cost/benefit considerations relating to measures not implemented. For example, it can be shown at any time that certain measures were discussed and for what reasons they were considered unsuitable or disproportionate.
  • A suitable security concept must be created. This must integrate the measures found necessary in accordance with the data protection impact assessment. The safety concept can of course be based on any existing, higher-level concepts. It describes the technical and organizational measures to protect applications and data. Important implementation principles, such as privacy-by-default, must also be considered here.
  • In most cases outside public administrations, it can also be assumed that processing of personal data is based on the express consent of the persons concerned. Accordingly, consent management must be established. In addition to the particularly important consent itself, the various information and information obligations as well as the rights of the person concerned to object, correct and delete can also be integrated in this process. By the way, consent may well be obtained purely electronically, although a double opt-in procedure and some logging requirements should be implemented.
  • Data protection-compliant agreements must be concluded with suppliers/contract processors. It is very important to note that the client cannot transfer responsibility for data protection to the order processor. In any case, he remains responsible for processing personal data. By means of appropriate contract clauses, the client must ensure that the processor does not perform any processing in third countries without an adequate level of protection itself or through sub-suppliers. The contract must also list the technical and organizational measures to be implemented by the processor and measures must be taken which enable data subjects to enforce their rights, such as the right to deletion.

outlook

This is the end of our five-part series of articles. We hope that we were able to provide an overview and that some information will help you implement digitization and IT projects in accordance with the law. In just a few weeks, the new rules will become serious in the EU. At the same time, Switzerland also has Total revision of the Data Protection Act in progress. Even though a number of questions have not yet been resolved, it can be reliably predicted that Switzerland will also adopt comparable rules in a few months so as not to lose Switzerland's current equivalence in data protection, as confirmed by the EU Commission. This means that companies focused purely on the internal market will soon be able to benefit from these compliance requirements.

Our series of articles on the subject

About the author

Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions and in the preparation of IT security and authorization concepts. He is certified in Risk Management and has carried out numerous security audits based on ISO standard 27001 over 10 years as an internal auditor. Do you have any questions about implementation in your company? stefan.haller@linkyard.ch | +41 78 746 51 16