On 1st September 2023, Switzerland will introduce a new data protection law (nFAPD) aimed at enhancing the protection of personal data and ensuring responsible data handling practices by organisations.
The promulgation of this change is driven by recent technological advancements, increased concerns regarding data privacy and alignment with European Union (EU) regulations. The enhancement of Data Privacy laws has been topical, with the Swiss Financial Market Supervisory Authority (FINMA) having recently developed and published an update of its data protection law. The nFAPD aims to address the evolving challenges posed by data protection risks and to strengthen the governance of data handling practices across all firms, including banks and securities firms in Switzerland. These countries follow suit with other jurisdictions (the United Kingdom and Europe), also having implemented data protection regulations since 2018.
Interestingly, unlike the EU’s General Data Protection Regulation (GDPR), the nFAPD introduces the possibility of imposing personal fines for various violations. Management and the board of directors may be liable if they fail to take the necessary steps to ensure or restore compliance with data protection regulations. Remedial action will typically involve financial penalties and providing regular updates to the regulator on progress made in closing issues identified.
This article provides an informative overview of the upcoming Swiss data protection law and its implications for businesses operating within the country.
Designing an effective compliance framework:
Compliance with the new data protection law is not prescriptive, and each organisation must design its data protection framework, considering factors such as size, complexity, structure, and risk profile. This flexibility allows for customised solutions but also presents challenges as interpretations and requirements may vary. Organisations can gain valuable insights from the Information Commissioner’s Office (ICO), Data Protection Act (DPA), and the European Data Protection Board’s (EDPB) Global Data Protection Regulations (GDPR), to which there are high levels of alignment with the Swiss requirements.
The similarity of the Swiss regulations to other global regulations means firms can benefit from our learning in the market to streamline their implementations.
Challenges and common pitfalls:
As organisations navigate the implementation of the new data protection law, they may encounter various challenges and common pitfalls, including:
- Simplifying data protection measures: streamlining strategies for effective compliance
- Enhancing clarity in end-to-end data handling processes
- Striking a balance: meeting regulatory expectations whilst considering practicality
- Fostering cross-functional engagement for successful data protection
- Cultivating a data protection mindset across the organisation
- Board-level accountability: understanding and embracing data protection responsibilities
- Defining impact tolerances: establishing appropriate data security thresholds
- Clarity in outsourcing: allocating responsibilities for critical processes
- Strengthening third-party management: addressing inadequate data protection arrangements
Guidelines for a strong compliance response:
To enhance the likelihood of a robust compliance response, organisations should consider the following approaches:
- Building a solid governance framework strengthening compliance oversight
- Thorough scope definition: identifying critical business services for enhanced compliance
- Effective reporting and control frameworks: managing vulnerabilities with precision
- Empowering data leadership: the role of the Chief Data Officer
- Collaborating with third parties: early engagement for data protection alignment
- Rigorous scenario testing: strengthening data protection preparedness
- Board engagement and accountability: driving data protection from the top
- Leveraging consulting support: accelerating compliance response with expertise
Conclusion:
The implementation of Switzerland’s new data protection law signifies an important step towards strengthening data privacy and security. As businesses adapt to this regulatory landscape, understanding the challenges, adopting successful approaches, and seeking expert advice can help organisations effectively comply with the new law and safeguard personal data.
Davies, a Davies company, can apply its expertise to understand the company’s compliance status comprehensively. Additionally, it can assist the data protection office or an external advisor in identifying necessary actions within the company or specific departments while providing an overview of data security.
For further guidance on navigating the Swiss data protection law requirements, our experienced team of advisors specialising in data protection and privacy is available to assist. Contact us to discuss any aspect of this article or explore our practical compliance approach.
You can access the official text of the nFAPD here (https://www.fedlex.admin.ch/eli/cc/2022/491/fr)
