Data protection action required by May 25, 2018
The legal framework regarding data protection is changing significantly and is forcing companies in the EU and third countries to adapt. On May 25, 2018, the new General Data Protection Regulation with significant changes in its effect. However, many companies, especially in third countries such as Switzerland, are still not even aware that this new set of rules also directly affects them, even if that national data protection law remains (still) unchanged in Switzerland. And this is despite the maximum fines of a menacing 4% of annual turnover or 20 million euros.
EU basic regulation also applies in Switzerland
With the new General Data Protection Regulation, the EU is creating a uniform legal basis for the entire EU and harmonizing existing national legislation. In addition to harmonization, however, the EU also pursued the goal in particular of creating a crackdown on companies in third countries that store or process data from people residing in the EU. But what is primarily aimed at Google, Facebook and Co., now ultimately affects all companies that also store or process data from EU persons as part of their business activities. This includes, for example, managing a CRM system (Customer Relationship Management), recording website visit data or maintaining natural persons from the EU in the accounts receivable base. Strictly speaking, the market location principle counts with regard to the applicability of the respective data protection law. However, thanks to the Internet, services are considered to be provided at the customer's location, even if they are provided in Switzerland. In short: virtually every company that deals with people in the EU in any way is already directly affected.
As of May 25, 2018, the EU General Data Protection Regulation will therefore apply not only in the EU. Even in third countries such as Switzerland, companies must now have implemented the national data protection law and the new EU requirements in parallel.
Implementation under difficult conditions
In the next few years, Switzerland will adapt its national legislation to that of the EU in order to remain classified by the EU Commission as a third country with comparable data protection. This is particularly important for Swiss-based IT companies for their competitiveness in the EU.
Implementation of IT technology, on the other hand, may be a lot more complicated than legal adjustment. Because by decree on 25.1.2017, the US president declared the abolition or restriction of American data protection law for foreigners (cf. c't from 18.4.2017: "Get out of the US clouds"). It is highly likely that this will also be the case that only came into force in summer 2016 EU-US and Swiss-US Privacy Shield torpedo and finally bury them again after just a few months.
Update 28.7.2020How presumed was that EU-U.S. Privacy Shield repealed by European Court of Justice on July 14.
But which company in Switzerland does not use services from American IT companies or has not already - consciously or unconsciously through pragmatic employees - shared data via Dropbox or similar solutions?
Which requirements must be implemented?
This is a reason for us to take a closer look at the General Data Protection Regulation in a series of articles over the next few weeks.
- In 1st part of the series Let's introduce the various players and set the framework.
- Part 2 sheds light on principles of data protection based on four pillars.
- Part 3 explained the specific requirements for processing special categories of personal data and profiling, which is considered particularly critical.
- Part 4 highlights legally privileged, desired processing methods.
- Part 5 of the series concludes with a framework for pragmatic and appropriate implementation of data protection in their IT project.
About linkyard
linkyard specializes in the implementation of software solutions with high security requirements and the professional support of IT procurement processes. An iterative collaboration of IT security specialists such as linkyard and a specialized lawyer proves to be an advantage, especially when implementing data protection requirements in IT systems correctly and economically. This is because the search for the most cost-effective and at the same time legally compliant solution often requires the preparation and evaluation of various implementation variants and the first best solution usually undergoes a few adjustments. We are also happy to support your project.