The EU GDPR (General Data Protection Regulation) recently caused a sensation. Most affected Swiss companies have prepared themselves well for the new regulation. GDPR is in force now. What should we expect and what does the new law mean for Swiss companies?
Many Swiss companies had to examine their business activities and decide whether they will fall under the GDPR or not. This required a number of clarifications. International companies were practically all affected, but many local companies concluded that the GDPR does not apply to them. However, some of the marginally affected Swiss companies have decided to establish a GDPR-compliant data protection compliance framework nonetheless as a precaution in view of the upcoming Swiss data protection law because the content of the forthcoming Swiss DPA is essentially the same as that of the GDPR. However, these companies have a bit more time to create a data protection compliance framework.
The GDPR has given rise to a raft of questions, including:
Maturity: How can the GDPR be integrated into a company’s compliance framework? Which non-compliance risks has the company identified and how will it mitigate these? Since the regulation was enacted in May 2016, companies have had to ask themselves these and many other questions making the implementation a mammoth task!
Structure: The demanding practical implementation made it clear that the GDPR was written from the perspective of the data subjects and not from the perspective of the companies concerned. The law foresees the roles of a “data controller” and “data processor”. Companies now have to interpret how the specifications can be implemented in practice. Accordingly, the solutions and thus the current status of compliance of the individual companies vary greatly.
The GDPR compliance framework elements that should be available at least as of today are the following:
Due to the individual risks associated with each company’s activities, very few companies have by now fully implemented all elements into their operations. However, the core elements, such as policies and processes, should have been established in most cases.
The GDPR concerns the EU, but also has extraterritorial effects. Swiss companies are per se outside the EU and often active outside the EU. In countries such as China and Russia, they encounter local regulations, some of which are diametrically opposed to the GDPR. These companies were therefore forced to create a global mapping of regulations and to work out concepts on how data storage and data exchange can take place despite the partly contradictory regulatory requirements.
In view of the recent events involving Facebook and Cambridge Analytica, we can expect that the USA and other countries will issue GDPR-like regulations in the near future.
The central question for companies is: how will the authorities behave? Will I be controlled? And can I be held accountable by an EU authority?
With the GDPR, the legislator has also put the authorities in a difficult situation, since it gives the authorities considerably more power to control and sanction. However, little thought has been given to the effects and what this will mean for the authorities’ resources.
If all serious and allegedly serious data protection breaches (of which there are likely to be more) were to find their way to the authorities, it would be hopelessly overrun. The EU authorities have in some cases hired hundreds of additional employees, but this is unlikely to be enough to process the expected volume. The high fines signal that the authorities mean business and so it is to be expected that companies will report more breaches than necessary in order to avoid risking a heavy fine.
Recognizing this situation, individual EU authorities have stated that they would not be proactive, at least initially. Nevertheless, they must comply with their legal obligations in the event of actual breaches of data protection laws. Their limited resource situation will therefore force them to prioritize and it is to be expected that at the beginning, the focus will be on the very difficult cases.
In order to be able to handle all other cases, the authorities will have three options:
There is still some range for companies to implement GDPR measures at the outset. However, if complaints come in, the authority and the company must take action. The minimum readiness listed above is therefore necessary.
Over time, however, the legally possible proactive activities will certainly also take place. It can also be assumed that fines will be a means of financing the many new officials in the future. Therefore, the establishment of a solid data protection compliance framework is indispensable in the long term.
EU authorities operate within the EU. If they want to implement the extraterritorial effects of the GDPR by means of measures taken by them, this would have to take place via corresponding cooperation agreements. It is still unclear how this could happen for an EU regulator wishing to become effective in Switzerland. However, it will certainly be possible to address units of Swiss companies located in the EU.
Initiatives are currently underway by many auditing companies (including KPMG) to obtain accreditation as GDPR certifiers from relevant state authorities. The first suppliers are expected in late summer. From then on it should be possible to obtain GDPR certification.
Given the high financial impact of a fine, most auditors will consider that GDPR non-compliance is a high risk and will propose appropriate audits to those responsible for audits in the respective boards.
It cannot be ruled out that companies may attempt to interfere with competitors by using individual data subjects to claim violations of GDPR by their competitors.
It cannot be excluded that customers or employees will use the rights from the GDPR to take revenge on a company. Companies should therefore prepare themselves by how to deal with such a situation. The so-called “GDPR Nightmare Letter” is already circulating on the net. Even if its content is so hardly demandable, there is a reference to the ideas of such groups.
At the same time, more and more people will learn about their rights through the media, think about them and ask questions.