With the EU General Data Protection Regulation (GDPR) and the ePrivacy Regulation in full flow, the Swiss Federal Council passed a total revision of the Federal Act on Data Protection (FADP) back in September last year. The deadline for calling a referendum against the Revised FADP (RevFADP) expired, unused on 14 January 2021. Consequently, it has now become “hard fact” and it is expected that the RevFADP will come into force at the end of 2021, beginning 2022.
RevFADP at a glance, what you need to know:
The RevFADP is very broad and will affect almost every company in Switzerland. The most important changes include:
- The RevFADP does no longer apply to personal data of companies.
- General principles continue to apply. Consent for the processing of personal data will be mandatory only if required by the RevFADP (unlike under GDPR).
- Among the rights granted to individuals, the RevFADP includes the right to data portability.
- The definition of sensitive personal data explicitly includes biometric and genetic data.
- Transparent information about data processing is required and must be understandable to the audience.
- New governance requirements are introduced, including maintaining an accurate registry of data processing activities, reporting data breaches, and carrying out data protection impact assessments.
- Foreign companies providing goods and services in Switzerland may be subject to the RevFADP and will have to appoint a Swiss representative (similar to GDPR).
- The maximum fine for non-compliance will pass from the derisory amount of CHF 10,000 to CHF 250,000 and is imposed against the individual responsible for the breach.
- Companies are free to decide whether they will appoint a data protection officer or not.
What are the next steps to prepare?
Since there is no transitional period once the RevFADP comes into force, it is wise to start soon immediately with a GAP analysis of your company’s current situation and compliance plan.
As a first step….
Companies should establish their starting position and ask themselves questions, such as: whose data do we process? Which types of personal data, and for which purposes? What is the potential justification for our data processing? Do we disclose personal data to third parties? Etc.
As a second step….
Companies should define the gaps between the actual and target status and the resulting need for action.
Finally, as a third step….
As it is unlikely that the measures needed to meet the obligation can be done all at the same time, due to budget and resource limitations, it will be important to set priorities that will enable companies to protect themselves from possible sanctions under the RevFADP in advance.
The Good News!
The good news is that all of this hard work to ensure compliance with the new RevFADP will not only avoid those costly sanctions, but it is also possible to increase your company’s reputation and value by showing that you manage personal data correctly!
Our top 3 recommendations to prioritise your actions that can benefit the valuation of your company’s data are:
- Know where personal data is and where it is coming from. Be in charge!
- Train your employees about privacy. Raise the bar by making sure employees are aware of the pitfalls.
- Select providers tools that make it easy and legal to respect privacy (e.g. you are choosing a new CRM tool or you are changing your hosting provider).
Data protection has long since been a topic for companies that crosses several departmental boundaries, placing it firmly on the agenda of managers and decision makers. This is only going to become even more important as online-everything becomes an essential part of everyday life. The EU GDPR, the new Swiss RevFADP, the ePrivacy Regulation and future guidelines require companies to develop a heightened priority and a new sensitivity towards the handling and protection of personal data, and companies that act quickly will have the competitive edge. Remember, well-organised data is an asset that will bring value to your company!
For more information on Data Protection, click here.
Image credit: NASA/GSFC
Your e-mail address will be used to send you communication messages and invitations to our events in accordance with our Privacy Notice. You can unsubscribe at any time.
© 2020 BRANDIT. All Rights Reserved. Privacy notice & Terms and Conditions