Digital innovation & data protection according to the GDPR: what are the main requirements and how can Swiss and European companies transform their mandatory adaptation process into a business opportunity?

The General Data Protection Regulation (GDPR, in German Datenschutz-Grundverordnung or DSGVO and in French Règlement Général sur la Protection des Données or RGPD) became compliant for all on May 25, 2018. “All” includes many Swiss companies, which fall under the GDPR’s scope because of the configuration of their business activities.

However, in particular among Swiss SMEs[1], only few took the adaptation needs seriously and performed a thorough analysis of their internal processes touching personal data. The Regulation’s legal language is not easy to understand. The topic is complex, and finding an efficient way to implement the required changes without creating a (financial and IT) monster is not straight-forward.

This article is aimed at helping Swiss companies and in particular SMEs understand what concrete steps they should undertake to be in line with the GDPR’s requirements, and to view this adjustment necessity as a business opportunity for digital innovation.

Wake-up call for Swiss companies

The GDPR regulates personal data of EU citizens and residents. It intrinsically bears an extraterritorial effect as it must be respected globally by companies treating such data, including Swiss companies. Swiss banks that advertise their private banking services online for prospects in the EU, a Swiss machinery company that delivers products to the EU branch of a Chinese Group or a Swiss organisation using web tools to track cookies or IP addresses of people visiting its website from EU countries, all fall under the GDPR. All of them are now accountable under the GDPR for the personal data they control and / or process.

Fines for non-compliance are significant: they can amount to €20 millions or 4% of yearly global annual turnover, whichever higher. For example, fines were announced up to: Google €50 millions, British Airways £183 millions, Marriott £99 millions and Facebook $2.2 billions, all in 2019. Europe wants to make a clear statement that it will no longer accept “fiddling” with personal data. In addition to those fines, each data subject concerned keeps his right to additionally seek personal compensation for the damages.

In court cases until now, the highest fines were imposed on breaches to Privacy by Design or Explicit Consent (cf. definitions below).

When defining the amount of a fine, data protection authorities assess not only the consequences of a GDPR violation, for example of a cyber hack, but also the types of safeguards put into place previously, i.e. if the data controller / processor “had done his job”: if personal data or emails were encrypted, servers and IT systems up to loyalty programmes (traditionally less focused on, as opposed to transactions) secured, if companies had performed data audits and identified how customer data is collected, handled, stored, who can access it and how, employees sufficiently trained, proper IT due diligence done prior to an acquisition, etc. as we will see.

To become GDPR compliant requires a company-wide cultural change and a re-engineering of important internal process. In that context, it could be helpful to Swiss companies of all sizes to look for professional advice, and to beef up their (cyber) security processes in order to proactively move from an approach that is manual and periodic to a continuous one.

The GDPR cookbook: 13 requirements towards compliance

To understand the GDPR better, let’s start by clarifying four central notions:

• A data subject is a legal person (an individual or organisation) whose data is processed.
• Personal data refers to any information related to a data subject that can be used, directly or indirectly, to identify a person. There are 2 more central definitions to understand – bear with me:
• a data controller is a party who decides why and how personal data will be processed, and
• a data processor is a party that processes personal data on behalf of a data controller. Processing of data includes: collecting, recording, organising, structuring, storing, using, erasing… Data controller and data processor can be the same but that is not necessarily the case as processing can be outsourced to a third party.

The EU wanted a consumer-oriented legislation, making clear that data subjects own their data and loan them to controllers and processors, and that they have the power to choose whom they give the right to collect, use and protect their data. In that perspective, the Regulation sets 13 central requirements:

1. Privacy by design (and default) is the overarching requirement. Data protection must be included from the onset of the designing of systems. That includes data minimization (collect and process only as much data as absolutely necessary for the purposes specified) and clear role-based rights towards access limitation. It is important to note that a data controller is considered responsible for data protection all over the process, including third parties such as cloud supplier, IT servers, outsourcing services,… wherever relevant.
2. Explicit consent: the request for consent from users to process their data must be given in a short, intelligible and easily accessible form (ideally “opt-in” and not by default), with the purpose for the data processing neatly exposed. It must also be clear and easy for users to withdraw their consent. Parental consent is required for children below 13. And importantly, documentary evidence of the consent must be kept.Data can be processed only for the legitimate purposes specified and stored only for as long as necessary for that purpose. If the purpose changes, then the data subject must be notified and explicit consent asked again.
3. Right to access: the right for data subjects to obtain from the data controller confirmation as to whether or not their personal data is being processed, where and for what purpose. The controller shall also be able to provide a copy of the data, free of charge, in an electronic format, after having properly checked the identity of the data subject of course. All within 30 days.
4. Right to rectification: a user can require correction of outdated or wrong personal data. Data must be kept accurate and up to date.
5. Right to erasure: the data subject can force the data controller to erase, cease further dissemination, and potentially have third parties halt processing of his personal data (by Intrum Justitia, etc), under the conditions that the data is no longer relevant to the original purposes for processing, or if a data subject withdraws consent. Complete erasure should happen within 30 days, except what is needed for audit purposes.
6. Right to restriction of processing or right to object: similar to the previous one, without the obligation to erase.
7. Data portability: the right for a data subject to receive their personal data and transfer them to another controller. After the transfer, the data controller must erase the relative data from its records, except what is needed for audit purposes.
8. Automated decision-making: the obligation to inform data subjects and give the opportunity to comment when an individual decision that produces legal effects or significantly affects them is taken solely on the basis of an automated data processing system, for example if a lender bases its credit decisions solely on an automated basis, i.e. most likely in relation to artificial intelligence – machine-learning – and an evolutive algorithm.
9. Mandatory breach / hack notification: within 72 hours, to the authorities. Which may be waived if data was encrypted to make it useless to an attacker.
10. Appointment of a Data Protection Officer (DPO): public authorities and organisations that engage in large scale systematic monitoring or in large scale processing of sensitive personal data must appoint a DPO. Depending on their business configuration, other data controllers may have to appoint a DPO.As a minimum, every company should nominate an experienced individual to become responsible for data protection. That person must understand the GDPR and how it applies to the organisation, add a data privacy policy to the employee handbook, advise employees about their responsibilities, conduct data protection trainings and audits, make sure that access to personal data is limited to employees who need it, document and store data processing records internally (what data is collected, how it is used, where it is stored, which employee is responsible for it), monitor GDPR compliance, perform annual privacy impact assessments and data audits, implement technical and organisational security measures, have Data Processing Agreement contracts in place with third parties, and serve as a liaison with authorities. Responsibilities are vast.The GDPR frees SMEs (< 250 FTEs) from record-keeping obligations in most cases, however not from compliance obligations.
11. End-to-end cyber security: companies must implement security solutions that scan and monitor not just the organisation-owned and managed assets, but also all third-party systems.A company that wants to save customers’ data on an external cloud, for example in relation to a CRM with 360° customer vision (including data from social media), should be aware that it will be accountable end-to-end and that it should therefore perform regular audits of the cloud provider.
12. Email security: EU institutions encourage the use of two-factor authentication, zero-access, end-to-end encryption and data processing agreements.
13. File-sharing: EU institutions encourage the use of zero-access, end-to-end encrypted file synchronisation and sharing, with public key and client-side integrity protection.

Organisations overall and in particular C-levels, Legal officers, requirements engineers, business analysts, project and product managers, product owners have a responsibility to know the core GDPR requirements and make sure that existing and new products are compliant. Internal processes must be modified wherever necessary, testing done to prove the compliance and the information kept for audits.

An opportunity for digital innovation in CH and the EU

Compliance to the GDPR can be transformed into additional value, as consumers are becoming increasingly aware that their personal data is a precious resource. And that a leakage can seriously complicate their life, at least for some time. Swiss companies could consider data protection part of the “Swiss quality” value proposition and market it as such. Some Swiss companies such as ProtonMail (encrypted emailing), Tresorit (encrypted file sharing) and Threema (chat provider, competitor to Whatsapp) have already made it their unique selling proposition.

Furthermore, steps towards GDPR compliance include processes re-engineering and the use of new digital technology. That reviewing of internal processes and IT enterprise architecture often leads not only to digitalisation but also to a higher degree of automation and the renewal of – often outdated – technology stack. In particular when accompanied by the appropriate cultural change towards Agility, the new processes can enable companies towards digital business, to propose faster development and release cycles for business ideas and to react faster to digital innovations on the market. Higher speed-to-market is a major trump in today’s accelerating world.

The occurrence of a digitalised business world fuelled by data has led to the emergence of new compliance requirements towards data protection. The main 13 requirements from EU’s GDPR entail design, organisational, technical and process-related fundamentals. To become GDPR-compliant is a complex project. It can be transformed into an opportunity to re-think the strategy and business model, for broad organisational change and digitalisation. In that sense, data protection can also represent an opportunity for digital innovation.

In addition, based on the Parliamentary discussions up to now, it appears that the upcoming new Swiss Federal Data Protection Act (E-FADP, expected early 2021) will be very similar to the GDPR. Work done to become GDPR-compliant will thus also be relevant for the future FADP, and will not have to be done a second time.

SwissQ offers a concrete training in data protection (“Digital Innovation and Data Protection”) as well as consulting on the GDPR, Swiss Law and data protection in the form of DPO as a Service, in relation to a specific project or product, as well as organisation-wide to help assess your specific situation and the performance of your duties towards privacy impact assessments and annual audits up to internal trainings and communication with authorities. Under the lead of a data protection expert, our requirements engineers and testers can further make sure you develop new products and services that are compliant.

Being from the Business and IT, we have the competencies to help you efficiently gain the needed know-how and put in place the necessary processes.

* https://swissq.it/en/course/digitale-produkte-und-datenschutz/

Official resources:

ProntonMail is a zero-access, end-to-end encrypted emailing service, based on a data processing agreement. https://protonmail.com

Threema, a chat provider (competitor of Whatsapp) is a concrete example of an application that has been built based on privacy by design: no phone number is required to register, end-to-end encryption is guaranteed and as little data as possible is generated on servers, so that collection of meta-data is restrained – i.e. contacts are saved only on the user’s device (synchronising online is optional if one is worried to lose them) and messages are deleted immediately after delivery. https://threema.ch/en

Tresorit markets zero-access, end-to-end encrypted file synchronisation and sharing, with public key and client-side integrity protection. https://tresorit.com

Official GDPR text:

https://gdpr-info.eu

The European Data Protection Board (EDPB): https://edpb.europa.eu

The European Commission on the GDPR – practical answers and examples: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/principles-gdpr

General information about the GDPR, especially targeted towards SMEs: https://gdpr.eu/what-is-gdpr/

https://www.kmu.admin.ch/kmu/en/home/concrete-know-how/sme-management/e-commerce/data-protection.html

Official draft (still being modified) of the new Federal Act on Data Protection (FADP) in Switzerland: https://www.parlament.ch/en/ratsbetrieb/suche-curia-vista/geschaeft?AffairId=20170059

FINMA’s 2018/3 circular on outsourcing and obligations of data controllers / processors for banks and insurances, in Switzerland: https://www.finma.ch/en/news/2017/12/20171205-mm-rs-outsourcing/

The Confidential Computing Consortium, an open source project of the IT industry aimed at developing standards and technologies towards data protection: https://confidentialcomputing.io

Anne-Liliane Jorand, certified Data Protection Officer (DPO), Senior Consultant

Anne-Liliane.Jorand@SwissQ.it

[1] According to PWC Switzerland, «(…) most SMEs in (Switzerland) aren’t even aware that the new regulations affect them directly and that they have to act now.” https://disclose.pwc.ch/26/en/why-swiss-smes-have-to-tackle-data-protection-right-now/