Security: Ready for the nDSG?

Data Protection

We have the «HOW» for your «WHAT»

As of September 1, 2023, the new Data Protection Act (nDSG) will come into force. The aim of the new Data Protection Act is to harmonize the DPA with European data protection law. This is because Switzerland should continue to be recognized as a third country with an appropriate level of data protection and uncomplicated data transfer between Switzerland and the EU should continue to be possible. In addition, it is a matter of adapting the DPA to the greatly changed social and technological environment (from social networks to the cloud).

In the process, the rules for processing personal data have been tightened. There is a particularly high risk for companies that process large amounts of personal data or data requiring special protection. This also applies to companies that operate an online store, perform profiling or transfer personal data internationally (beyond the EU). We have created an overview with the most important ones for you.

What will change?

Scope

Similar to the EU's GDPR, the Swiss nDSG now only protects the data of natural persons, instead of legal persons as well, as was previously the case. However, genetic and biometric data are now also classified as requiring special protection. This is relevant, for example, when customer data is recorded and processed in a CRM or similar customer system.

Responsibility

Another new feature is that not only the company itself, but also those responsible (owners and employees) can become the target of criminal proceedings. In addition to possible sanctions by the Federal Data Protection Commissioner (FDPIC), fines of up to CHF 250'000 and even criminal proceedings are possible. It is important to know that the threat of punishment affects any employee who intentionally violates the law. This means that the fines are not imposed on the company, but on an employee.
If a company does not take measures in accordance with the new law, it acts intentionally or at least accepts a violation of the law (contingent intent) and can be fined or punished.

Transparency

Companies have more comprehensive information obligations than ever before and must now inform data subjects appropriately about every data collection. This does not only apply to data requiring special protection, as was previously the case, but to all data. The information obligation also comes into force if the data is not collected directly from the data subject himself.
The identity and contact details of the data controller, the purpose of processing, the recipient or categories of recipients and, in the case of data export abroad, the recipient country, must be provided. In this regard, the nDSG is even stricter than the GDPR.
Specify the countries to which personal data will be disclosed and ensure that this only takes place in those countries that can guarantee adequate protection. This also applies to storage on foreign systems (i.e. cloud).
Public cloud solutions such as Microsoft Azure allow you to determine where your data may be stored and used. In doing so, the data is encrypted both during transmission (in motion) and in the stored state (at rest).

Processing Activities

Companies must be able to prove who has processed the data and must therefore keep a register of processing activities. In turn, a directory of data collections is not required.
However, linking the register of processing activities with the register of data collections is recommended, as the same application or database is often used for several data processing activities.
According to the E-VDSG, companies with fewer than 250 employees whose data processing involves a low risk of violations of the personality of the data subjects are exempt from keeping a processing directory.

Impact Assessment

Companies are now required to carry out a so-called data protection impact assessment if data processing poses a high risk to the personality or fundamental rights of the data subject. The aim is to reduce related risks to a minimum through a preliminary calculation of the risks that may arise and also measures to reduce these. This must be documented.

Profiling

Profiling refers to the automatic processing of data to evaluate certain personal aspects of a person, such as the economic situation, health, interests, behavior, whereabouts, and so on. This therefore refers to customer data that can be used to form an accurate picture of the person, the human being behind the data.
If clear traits of a person can be read, this is so-called «high-risk profiling» and such customer data may only be collected with explicit consent. If there is no «high-risk profiling», there is no obligation to obtain consent.

Obligation to report

If a data security breach occurs, this must be reported to the FDPIC (Federal Data Protection and Information Commissioner) as soon as possible. Data security breaches are understood to be the unintentional or unlawful loss, deletion, destruction, alteration or making accessible of personal data by unauthorized persons.
As a rule, the data subject must also be informed if this is necessary for his or her protection (if his or her personal or fundamental rights are at risk) or if the FDPIC so requires. It is recommended to appoint an internal data protection officer, whose contact information must be published.

Privacy-by-Design and Privacy-by-Default

These principles oblige the company to take data processing into account as early as the planning and design stage of applications. This means, for example, using default settings to ensure that no further data processing can be carried out without the consent of the data subjects.
Privacy-by-default means that the personal data actually processed must be clearly consistent with the intended use. Use of additional «avoidable» information requires notice including prior consent of the individual.
Privacy-by-design includes a set of specific processing principles that must be implemented at the point of data collection. Precise internal planning of data protection default settings is crucial.

Data Security and Data Protection

In the nDSG, data protection is understood as part of the principle of privacy-by-design:

  • Art. 7(1): «The controller is obliged to design the data processing technically and organizationally in such a way that the data protection provisions are complied with, in particular the principles set out in Article 6. It shall take this into account from the planning stage onwards.»
  • «Article [8] obliges both the controller and the processor to provide for an appropriate security architecture for their systems and to protect them against, for example, malware or data loss. Article 7(1), on the other hand, aims to ensure compliance with data protection rules by technical means, e.g., that data processing remains proportionate.»

A conscious distinction is therefore made between data security and general data protection. From a data security perspective, the following measures are recommended:

  • Performing a network vulnerability analysis
  • Implementation of virus and malware protection
  • Implementation of endpoint security solutions
  • Carrying out security awareness in the company
  • Create a clear role and authorization concept for user and group access rights
  • Ensure that data is protected with state-of-the-art encryption
  • Create an incident response plan that clearly defines how to respond in the event of a data security breaches, hacker attacks, Trojans and encryption malware
  • Ensuring that backup processes are implemented and that recovery (restoration of data) also works
    Ensure that data is encrypted (both at rest and in motion)

By consistently using Microsoft solutions, the technical requirements of the nDSG can be ensured. This goes far beyond the geographical selection of the data center or encryption. Intune can be used to manage your endpoints (laptops and desktops) and Microsoft 365 can be used to automatically identify personal data. In Compliance Manager, all configurations are visible and compliance reports can be pulled at any time. With Microsoft Purview, data can be classified and controlled according to this classification. By using DLP (Data Loss Prevention), data containing personal information can be identified and blocked from unwanted or inappropriate release (e.g. via e-mail). Information governance can be created through the use of so-called data retention labels and policies. In addition, by using Microsoft 365, customer data can be protected when you send and receive encrypted emails between employees and people outside your organization.