EU data protection basic regulation (DSGVO) - time is running out
On 25 May 2018, the European Data Protection Basic Regulation (DSGVO) will become directly applicable. The Regulation regulates the processing of personal data and applies far beyond the EU. On the one hand, Swiss companies with a branch in the EU are affected (Art. 3 para. 1 DSGVO). However, in accordance with the market place principle, the Ordinance also covers companies that offer goods or services to data subjects in the EU (Art. 3 para. 2a) or observe the behaviour of data subjects in the EU (Art. 3 para. 2b). Based on this comprehensive regulation, estimates assume that up to ¾ all Swiss companies will be affected. In addition, the current revision of the Swiss Federal Data Protection Act (DSG) is expected to incorporate numerous elements from the DSGVO.
The EU is serious: if the new regulations are not complied with, companies will have to expect high fines of up to 4% of their global annual turnover or 20 million euros.
There is therefore not much time left to prepare for the DSGVO. Some of the key questions that companies need to answer are:
- To what extent and in which areas are we affected by the DSGVO?
- Do our processes guarantee the rights of the persons concerned, for example to information (Art. 15 DSGVO), rectification (Art. 16), deletion (Art. 17) or data transmission (Art. 20)?
- Do we have a list of processing activities pursuant to Art. 30 DSGVO?
- Do we need a data protection officer in accordance with Art. 37 DSGVO?
- Do we need an EU representative pursuant to Art. 27 DSGVO?
- Have we taken appropriate technical and organisational measures to ensure the security of personal data in accordance with Art. 32 DSGVO?
- Do our processes and systems guarantee data protection through technology design and data protection-friendly presettings (Art. 25 DSGVO)?
- In the event of an infringement of the protection of personal data, are we in a position to notify the supervisory authorities (Art. 33 DSGVO) within 72 hours or, in the case of a high risk, the persons concerned (Art. 34 DSGVO)?
- When do we have to carry out a data protection impact assessment (Art. 35, 36 DSGVO)?
As an independent Swiss consulting firm for information technology, Eraneos can support companies and organisations in implementing measures to meet the requirements of the EU DSGVO as follows:
- Execution of a readiness assessment to identify key risks and prioritise areas for action
- Creation of a data inventory for the purpose of identifying affected areas and drawing up a list of processing activities (Art. 30 DSGVO)
- Process analysis and process design with regard to information rights, deletion, porting (Art. 12-21), Privacy by Design & Default (Art. 25) or data protection impact assessment (Art. 35)
- EU-DSGVO compliant evaluation of contract processors (Art. 28)
- IT Security Audit and Risk Analysis of Data Protection Violations (Art. 32)
Please contact Adrian Marti, Head of Cyber Security & Privacy (adrian.marti@awk.ch, +41 58 411 97 67) if you have any questions or concerns on this subject.