When you click on "Accept all cookies"click, you agree to the storage of cookies on your device to improve website navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.

Privacy preferences

When you visit websites, they can save or retrieve data in your browser. This storage is often required for the basic functions of the website. The storage can be used for marketing, analytics, and website personalization, such as saving your preferences. Data protection is important to us, so you have the option to disable certain types of storage that are not necessary for the basic function of the website. Blocking categories may affect your experience on the site.

Reject all cookies Allow all cookies

Manage consent preferences by category

Essential

Always active

These elements are required to enable the basic functions of the website.

marketing

Essential

These elements are used to deliver advertising that is more relevant to you and your interests. They can also be used to limit the number of ads shown and to measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the website operator.

Personalization

Essential

This data allows the website to remember choices you make (such as your username, language, or the region you are in) and offer enhanced, more personalized features. For example, a website can offer you local weather reports or traffic news by saving data about your current location.

Analytics

Essential

This data helps the website operator understand how their website works, how visitors interact with the website and whether there may be technical problems. This type of storage generally does not collect information that identifies a visitor.

Confirm and close my settings

A framework for implementing the new data protection regulations

Stefan Haller

16.4.2018

The new, harmonized EU General Data Protection Regulation came into force on May 24, 2016 and is applicable from May 24, 2018 without any further transition period. All companies operating in the EU, regardless of their headquarters, are already subject to legislation. Legislative implementation in Switzerland is already in progress. This is a reason for us to take a closer look at the General Data Protection Regulation in a series of articles.

Key elements for implementation at company level

‍

At company level, there are three main measures to be implemented.

With very few exceptions, a data protection officer must be appointed. It has the task of informing and advising responsible persons, employees and any contract processors about their data protection obligations. He must monitor compliance with the requirements and the implementation of relevant measures. He also serves as a contact person and coordinator for all inquiries and information flows regarding data protection. The requirements placed on this person are very high, as he should have extensive expertise in the area of data protection. Especially if an internal company solution is preferred, this could prove to be a hurdle without accompanying measures. This is because there are considerable risks of liability and fines if implemented improperly.
A systematic risk analysis is also required. Most companies will already have a documented risk analysis, particularly if their processes are ISO 9001 certified. However, in order to meet the special data protection requirements, it is also recommended that the persons for whom data are processed as an independent asset in the risk analysis. This ensures that specific risks that might have little impact on the company itself are also taken into account and adequately assessed. On the other hand, it is useful to document records relating to the various considerations that contribute to a specific assessment of a data protection-relevant risk in order to make this easy to understand in terms of the required controllability. Appropriate measures to reduce risks must then be defined and implemented.
There is an obligation to keep a record of processing operations. It must document which data processing exists - exclusively in relation to data relating to natural persons. This is a structured directory that documents the processing, its purpose, the persons and data subjects, the recipients of data and deletion periods. This measure is comparatively easy - although not necessarily with little effort - to implement, as a corresponding template can be prepared and completed.

Processing-specific key elements

‍

Once the company-wide principles have been laid down, we can look at the individual processing operations. Four measures must be taken into account centrally.

Carry out a so-called data protection impact assessment before the productive start-up of processing, provided that personal data is processed. In principle, the data protection impact assessment is nothing more than a more detailed risk analysis related to this particular processing. There are various requirements to be considered for these. Similar to company-wide risk analysis, it is advisable to keep records of cost/benefit considerations relating to measures not implemented. For example, it can be shown at any time that certain measures were discussed and for what reasons they were considered unsuitable or disproportionate.
A suitable security concept must be created. This must integrate the measures found necessary in accordance with the data protection impact assessment. The safety concept can of course be based on any existing, higher-level concepts. It describes the technical and organizational measures to protect applications and data. Important implementation principles, such as privacy-by-default, must also be considered here.
In most cases outside public administrations, it can also be assumed that processing of personal data is based on the express consent of the persons concerned. Accordingly, consent management must be established. In addition to the particularly important consent itself, the various information and information obligations as well as the rights of the person concerned to object, correct and delete can also be integrated in this process. By the way, consent may well be obtained purely electronically, although a double opt-in procedure and some logging requirements should be implemented.
Data protection-compliant agreements must be concluded with suppliers/contract processors. It is very important to note that the client cannot transfer responsibility for data protection to the order processor. In any case, he remains responsible for processing personal data. By means of appropriate contract clauses, the client must ensure that the processor does not perform any processing in third countries without an adequate level of protection itself or through sub-suppliers. The contract must also list the technical and organizational measures to be implemented by the processor and measures must be taken which enable data subjects to enforce their rights, such as the right to deletion.

outlook

This is the end of our five-part series of articles. We hope that we were able to provide an overview and that some information will help you implement digitization and IT projects in accordance with the law. In just a few weeks, the new rules will become serious in the EU. At the same time, Switzerland also has Total revision of the Data Protection Act in progress. Even though a number of questions have not yet been resolved, it can be reliably predicted that Switzerland will also adopt comparable rules in a few months so as not to lose Switzerland's current equivalence in data protection, as confirmed by the EU Commission. This means that companies focused purely on the internal market will soon be able to benefit from these compliance requirements.

Our series of articles on the subject

In We have lead-in articles on the need for action alerted.
In First part of the series, we introduce the various actors and unclip the frame.
In In part 2, we examined the principles based on four pillars of data protection.
Part 3 explained the specific requirements for processing special categories of personal data and profiling, which is considered particularly critical.
In Part 4, we examined legally privileged, desired processing methods.
This last part of the series concludes with a framework for pragmatic and appropriate implementation of data protection in your IT project.

About the author

Stefan Haller is an IT expert specializing in risk management, information security and data protection at linkyard. He supports companies and authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions and in the preparation of IT security and authorization concepts. He is certified in Risk Management and has carried out numerous security audits based on ISO standard 27001 over 10 years as an internal auditor. Do you have any questions about implementation in your company? stefan.haller@linkyard.ch | +41 78 746 51 16

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Linkyard has already successfully established itself in the first half of the financial year and is making a profit

Yuliya Miller

A framework for implementing the new data protection regulations

Key elements for implementation at company level

Processing-specific key elements

outlook

Our series of articles on the subject

About the author

More posts from us

How the world traveler Andreas found linkyard

We warmly welcome sports enthusiast and family man Fabio

Two ways to switch to the Atlassian Cloud more cheaply

Offerings

Webpage

Utility

Contact