By clicking"Accept all cookies", you agree to the storage of cookies on your device to improve website navigation, analyze website usage and support our marketing activities. For more information, please see our Privacy Policy.

Privacy preferences

When you visit websites, they may store or retrieve data in your browser. This storage is often necessary for the basic functions of the website. Storage may be used for marketing, analytics, and website personalization, such as storing your preferences. Privacy is important to us, so you have the option to disable certain types of storage that are not necessary for basic website functionality. Blocking categories may affect your experience on the website.

Deny all cookies Allow all cookies

Manage approval preferences by category

Essential

Always active

These elements are necessary to enable the basic functions of the website.

Marketing

Essential

These elements are used to deliver advertising that is more relevant to you and your interests. They can also be used to limit the number of ads and measure the effectiveness of advertising campaigns. Advertising networks usually place them with the permission of the website operator.

Personalization

Essential

This data allows the website to remember choices you have made (for example, your username, language, or the region you are in) and to offer enhanced, more personalized features. For example, a website can offer you local weather reports or traffic news by storing data about your current location.

Analytics

Essential

This data helps the website operator understand how their website is performing, how visitors are interacting with the website, and if there may be any technical problems. This type of storage does not usually collect information that identifies a visitor.

Confirm and close my settings

A framework for implementing the new data protection rules

Stefan Haller

16.4.2018

The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their registered office, are already subject to the legislation. Legal compliance in Switzerland is already underway. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.

Key elements for implementation at company level

‍

Three main measures need to be implemented at company level.

With very few exceptions, a data protection officer should be appointed. This person is responsible for informing and advising the responsible persons, employees and any contract processors about their obligations under data protection law. He must monitor compliance with the requirements and the implementation of relevant measures. He also serves as contact person and coordinator for all inquiries and information flows relating to data protection. The demands placed on this person are very high, as he or she must have comprehensive expertise in the field of data protection. Especially if a company-internal solution is preferred, this could prove to be an obstacle without accompanying measures. This is because there is a considerable risk of liability and fines if the solution is not implemented properly.
A systematic risk analysis is also required. Most companies will already have a documented risk analysis, especially if their processes are ISO 9001 certified. In order to meet the special requirements of data protection, however, it is additionally recommended to include the persons for which data is processed as an independent asset in the risk analysis. This ensures that specific risks are also taken into account and adequately assessed, which might have little impact on the company itself. On the other hand, it makes sense to document records regarding the various considerations that contribute to a particular assessment of a data protection-relevant risk in order to make this easily comprehensible in terms of the required controllability. Subsequently, appropriate measures to reduce the risks must be defined and implemented.
There is an obligation to keep a register of processing operations. This must document which data processing operations exist - exclusively in relation to data on natural persons. This is a structured register that documents the processing, its purpose, the persons and data concerned, the recipients of data and deletion periods. This measure is comparatively easy to implement - although not necessarily with little effort - as a template can be prepared and filled in.

Processing specific key elements

‍

Once the company-wide foundations have been laid, we can look at the individual processing steps. Four measures are to be observed centrally.

To carry out a so-called data protection impact assessment before the productive start of a processing operation, if personal data are processed. The data protection impact assessment is in principle nothing more than a more detailed risk analysis related to this particular processing operation. There are various specifications to be taken into account for this. Analogous to the company-wide risk analysis, it is advisable to keep records of cost/benefit considerations regarding measures that have not been implemented. For example, it can be shown at any time that certain measures have been discussed and the reasons why they were considered unsuitable or disproportionate.
A suitable security concept must be drawn up. This concept must integrate the measures deemed necessary according to the data protection impact assessment. The security concept can of course be based on any existing, higher-level concepts. It describes the technical and organisational measures for protecting the application and data. The important implementation principles such as privacy by default must also be taken into account.
In most cases outside public administrations, it can further be assumed that processing of personal data is based on the explicit consent of the data subjects. Consent management must be established accordingly. In addition to the particularly important consent itself, the various information and disclosure obligations as well as the data subject's rights of objection, correction and deletion can be integrated in this process. Incidentally, consent may be obtained purely electronically, whereby a double opt-in procedure and some logging requirements should be implemented.
Data protection-compliant agreements must be concluded with suppliers/contract processors. It is important to note that the client cannot transfer the responsibility for data protection to the processor. In any case, he remains responsible for the processing of personal data. By means of appropriate contractual clauses, the client must ensure that the processor does not carry out processing in third countries without an adequate level of protection, either himself or through subcontractors. Furthermore, the contract must list the technical and organisational measures to be implemented by the processor and take precautions to enable the data subjects to enforce their rights, such as the right to deletion.

Outlook

This is the end of our five-part article series. We hope that we have been able to give you an overview and that the one or other piece of information will support you in the legally compliant implementation of digitisation and IT projects. At the same time, the total revision of the Data Protection Act is also underway in Switzerland. Even if some questions are still unanswered, it can be reliably predicted that in a few months Switzerland will also issue comparable rules in order not to lose the current Swiss equivalence in data protection, as confirmed by the EU Commission. This means that even companies that are purely oriented towards the domestic market will soon be able to benefit from these compliance requirements.

Our series of articles on the topic

In the lead-in article we drew attention to the need for action.
In part 1 of the series we introduce the different actors and set the framework.
In Part 2, we examined the principles of data protection based on four pillars.
Part 3 explained the specific requirements for the processing of special categories of personal data and for profiling, which is considered as particularly critical.
In part 4 we highlighted legally privileged, desired processing methods.
This last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.

About the author

Stefan Haller is an IT expert specialized in risk management, information security and data protection at linkyard. He supports companies and public authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions as well as in the creation of IT security and authorization concepts. He is certified in risk management and has carried out numerous security audits as an internal auditor on the basis of the ISO standard 27001 for more than 10 years. Do you have questions about the implementation in your company? stefan.haller@linkyard.ch | +41 78 746 51 16

Psychology and marketing combined: Laura is our new Marketing Assistant.

Psychology and marketing combined: Laura is our new Marketing Assistant.

Psychology and marketing combined: Laura is our new Marketing Assistant.

Laura Michel

A framework for implementing the new data protection rules

Key elements for implementation at company level

Processing specific key elements

Outlook

Our series of articles on the topic

About the author

More posts from us

Philosophy meets technology: our new Support Engineer Daniele has a wide range of interests.

From bank apprenticeship to IT consultant: We welcome Alex to linkyard

Ice hockey, traveling and programming: Our new consultant Rico

Offerings

Website

Utility

Contact