A framework for implementing the new data protection rules
The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their registered office, are already subject to the legislation. Legal compliance in Switzerland is already underway. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
Key elements for implementation at company level
Three main measures need to be implemented at company level.
- With very few exceptions, a data protection officer should be appointed. This person is responsible for informing and advising the responsible persons, employees and any contract processors about their obligations under data protection law. He must monitor compliance with the requirements and the implementation of relevant measures. He also serves as contact person and coordinator for all inquiries and information flows relating to data protection. The demands placed on this person are very high, as he or she must have comprehensive expertise in the field of data protection. Especially if a company-internal solution is preferred, this could prove to be an obstacle without accompanying measures. This is because there is a considerable risk of liability and fines if the solution is not implemented properly.
- A systematic risk analysis is also required. Most companies will already have a documented risk analysis, especially if their processes are ISO 9001 certified. In order to meet the special requirements of data protection, however, it is additionally recommended to include the persons for which data is processed as an independent asset in the risk analysis. This ensures that specific risks are also taken into account and adequately assessed, which might have little impact on the company itself. On the other hand, it makes sense to document records regarding the various considerations that contribute to a particular assessment of a data protection-relevant risk in order to make this easily comprehensible in terms of the required controllability. Subsequently, appropriate measures to reduce the risks must be defined and implemented.
- There is an obligation to keep a register of processing operations. This must document which data processing operations exist - exclusively in relation to data on natural persons. This is a structured register that documents the processing, its purpose, the persons and data concerned, the recipients of data and deletion periods. This measure is comparatively easy to implement - although not necessarily with little effort - as a template can be prepared and filled in.
Processing specific key elements
Once the company-wide foundations have been laid, we can look at the individual processing steps. Four measures are to be observed centrally.
- To carry out a so-called data protection impact assessment before the productive start of a processing operation, if personal data are processed. The data protection impact assessment is in principle nothing more than a more detailed risk analysis related to this particular processing operation. There are various specifications to be taken into account for this. Analogous to the company-wide risk analysis, it is advisable to keep records of cost/benefit considerations regarding measures that have not been implemented. For example, it can be shown at any time that certain measures have been discussed and the reasons why they were considered unsuitable or disproportionate.
- A suitable security concept must be drawn up. This concept must integrate the measures deemed necessary according to the data protection impact assessment. The security concept can of course be based on any existing, higher-level concepts. It describes the technical and organisational measures for protecting the application and data. The important implementation principles such as privacy by default must also be taken into account.
- In most cases outside public administrations, it can further be assumed that processing of personal data is based on the explicit consent of the data subjects. Consent management must be established accordingly. In addition to the particularly important consent itself, the various information and disclosure obligations as well as the data subject's rights of objection, correction and deletion can be integrated in this process. Incidentally, consent may be obtained purely electronically, whereby a double opt-in procedure and some logging requirements should be implemented.
- Data protection-compliant agreements must be concluded with suppliers/contract processors. It is important to note that the client cannot transfer the responsibility for data protection to the processor. In any case, he remains responsible for the processing of personal data. By means of appropriate contractual clauses, the client must ensure that the processor does not carry out processing in third countries without an adequate level of protection, either himself or through subcontractors. Furthermore, the contract must list the technical and organisational measures to be implemented by the processor and take precautions to enable the data subjects to enforce their rights, such as the right to deletion.
Outlook
This is the end of our five-part article series. We hope that we have been able to give you an overview and that the one or other piece of information will support you in the legally compliant implementation of digitisation and IT projects. At the same time, the total revision of the Data Protection Act is also underway in Switzerland. Even if some questions are still unanswered, it can be reliably predicted that in a few months Switzerland will also issue comparable rules in order not to lose the current Swiss equivalence in data protection, as confirmed by the EU Commission. This means that even companies that are purely oriented towards the domestic market will soon be able to benefit from these compliance requirements.
Our series of articles on the topic
- In the lead-in article we drew attention to the need for action.
- In part 1 of the series we introduce the different actors and set the framework.
- In Part 2, we examined the principles of data protection based on four pillars.
- Part 3 explained the specific requirements for the processing of special categories of personal data and for profiling, which is considered as particularly critical.
- In part 4 we highlighted legally privileged, desired processing methods.
- This last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.
About the author
Stefan Haller is an IT expert specialized in risk management, information security and data protection at linkyard. He supports companies and public authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions as well as in the creation of IT security and authorization concepts. He is certified in risk management and has carried out numerous security audits as an internal auditor on the basis of the ISO standard 27001 for more than 10 years. Do you have questions about the implementation in your company? stefan.haller@linkyard.ch | +41 78 746 51 16