Digital innovation and data protection under the RGPD
What are the main requirements, and how can Swiss companies transform their adaptation process?
The General Data Protection Regulation (GDPR) became compliant for all on May 25, 2018. "All" includes many Swiss companies, which fall within the scope of the RGPD due to the configuration of their business activities.
However, particularly among Swiss SMEs, only a few have taken the need for adaptation seriously and carried out a thorough analysis of their internal processes concerning personal data. The legal language of the regulation is not easy to understand. The subject is complex, and finding an effective way to implement the required changes without creating a (financial and IT) monster is not straightforward.
This article aims to help Swiss companies and SMEs in particular to understand what concrete steps they should take to comply with RGPD requirements, and to see this need for adjustment as a business opportunity for digital innovation.
A wake-up call for Swiss companies
The RGPD regulates the personal data of EU citizens and residents. It inherently carries an extraterritorial effect as it must be complied with globally by companies processing this data, including Swiss companies. Swiss banks advertising their online private banking services to prospects in the EU, a Swiss machinery company delivering products to the European branch of a Chinese group or a Swiss organization using web tools to track the cookies or IP addresses of people visiting its website from EU countries, all fall under the RGPD. All are now responsible under the RGPD for the personal data they control and/or process.
Fines for non-compliance are significant : they can amount to €20 million or 4% of worldwide annual sales, whichever is higher. For example, fines have been announced up to: €50 million for Google, £183 million for British Airways, £99 million for Marriott and $2.2 billion for Facebook, all in 2019. Europe wants to make it clear that it will no longer accept "games" with personal data. In addition to these fines, each person concerned reserves the right to claim personal compensation for damages.
Until now, in court cases, the highest fines were imposed for violation of privacy by design or explicit consent (see definitions via the link below).
When determining the amount of a fine, data protection authorities assess not only the consequences of a breach of the RGPD, e.g. hacking, but also the types of safeguards previously put in place, i.e. whether the controller/data processor "had done its job": Whether personal data or emails were encrypted, servers and IT systems right through to loyalty programs (traditionally less targeted, as opposed to transactions) secured, whether companies had carried out data audits and identified how customer data is collected, processed, stored, who can access it and how, sufficiently trained employees, proper IT due diligence carried out before an acquisition, etc. as we shall see.
Becoming RGPD-compliant requires a company-wide cultural shift and the re-engineering of important internal processes. In this context, it could be useful for Swiss companies of all sizes to seek professional advice and strengthen their (cyber) security processes in order to proactively move from a manual, periodic approach to a continuous one.
Click here to continue reading the SwissQ article
You'll discover four central concepts to better understand the RGPD, 13 compliance requirements and how RGPD compliance is an opportunity for digital innovation.
Thanks to the author Anne-Liliane Jorand, certified Data Protection Officer (DPO), senior consultant, Alp ICT expert, founder and CEO of DynaMetrics.