GDPR in force now – Answers to the most important questions
The EU GDPR (General Data Protection Regulation) recently caused a sensation. Most affected Swiss companies have prepared themselves well for the new regulation. GDPR is in force now. What should we expect and what does the new law mean for Swiss companies?
Status of implementation: Swiss DPA also affected and under revision
Many Swiss companies had to examine their business activities and decide whether they will fall under the GDPR or not. This required a number of clarifications. International companies were practically all affected, but many local companies concluded that the GDPR does not apply to them. However, some of the marginally affected Swiss companies have decided to establish a GDPR-compliant data protection compliance framework nonetheless as a precaution in view of the upcoming Swiss data protection law because the content of the forthcoming Swiss DPA is essentially the same as that of the GDPR. However, these companies have a bit more time to create a data protection compliance framework.
The GDPR has given rise to a raft of questions, including:
Maturity: How can the GDPR be integrated into a company’s compliance framework? Which non-compliance risks has the company identified and how will it mitigate these? Since the regulation was enacted in May 2016, companies have had to ask themselves these and many other questions making the implementation a mammoth task!
Structure: The demanding practical implementation made it clear that the GDPR was written from the perspective of the data subjects and not from the perspective of the companies concerned. The law foresees the roles of a “data controller” and “data processor”. Companies now have to interpret how the specifications can be implemented in practice. Accordingly, the solutions and thus the current status of compliance of the individual companies vary greatly.
The GDPR compliance framework elements that should be available at least as of today are the following:
- A documented clarification and decision if and in which business areas of the company are subject to the GDPR
- Privacy data governance with clear roles and responsibilities, sometimes with a data protection officer (DPO) where one is required by the GDPR
- Adjustment of the contractual regulations with third parties regarding personal data
- A prepared process for the collection, review and, where necessary, reporting of data breaches
- A records of processing for personal data
- Where necessary, the corresponding data protection impact assessments
- Ensuring the respective lawfulness for the legally compliant processing of personal data. Please note that obtaining “consent” is only one of six possible options!
- Processes for fulfilling the obligations towards the data subjects for their data rectification and information requests and their “right to be forgotten” or their demand for data deletion as well as the demand for data minimization
- Establishment and documentation of an adequate level of technical protection to continuously safeguard personal data (e.g. by means of ISO 27001 certification)
- Integration of data protection risks into risk management and development of corresponding controls and documentation for auditing capability
Due to the individual risks associated with each company’s activities, very few companies have by now fully implemented all elements into their operations. However, the core elements, such as policies and processes, should have been established in most cases.
Conflict with other global regulations
The GDPR concerns the EU, but also has extraterritorial effects. Swiss companies are per se outside the EU and often active outside the EU. In countries such as China and Russia, they encounter local regulations, some of which are diametrically opposed to the GDPR. These companies were therefore forced to create a global mapping of regulations and to work out concepts on how data storage and data exchange can take place despite the partly contradictory regulatory requirements.
In view of the recent events involving Facebook and Cambridge Analytica, we can expect that the USA and other countries will issue GDPR-like regulations in the near future.
The challenge of “data protection authorities”: will an EU authority check whether the GDPR has been implemented properly?
The central question for companies is: how will the authorities behave? Will I be controlled? And can I be held accountable by an EU authority?
With the GDPR, the legislator has also put the authorities in a difficult situation, since it gives the authorities considerably more power to control and sanction. However, little thought has been given to the effects and what this will mean for the authorities’ resources.
If all serious and allegedly serious data protection breaches (of which there are likely to be more) were to find their way to the authorities, it would be hopelessly overrun. The EU authorities have in some cases hired hundreds of additional employees, but this is unlikely to be enough to process the expected volume. The high fines signal that the authorities mean business and so it is to be expected that companies will report more breaches than necessary in order to avoid risking a heavy fine.
Recognizing this situation, individual EU authorities have stated that they would not be proactive, at least initially. Nevertheless, they must comply with their legal obligations in the event of actual breaches of data protection laws. Their limited resource situation will therefore force them to prioritize and it is to be expected that at the beginning, the focus will be on the very difficult cases.
In order to be able to handle all other cases, the authorities will have three options:
- Stretch the time to process the cases
- Create alternative and sufficiently efficient processes
- Tasks to third parties (e.g. accredited auditing companies)
There is still some range for companies to implement GDPR measures at the outset. However, if complaints come in, the authority and the company must take action. The minimum readiness listed above is therefore necessary.
Over time, however, the legally possible proactive activities will certainly also take place. It can also be assumed that fines will be a means of financing the many new officials in the future. Therefore, the establishment of a solid data protection compliance framework is indispensable in the long term.