GDPR – The next regulatory challenge
May 25, 2018 – many companies have marked this date red in their calendars. On this day, the European General Data Protection Regulation (GDPR) will become applicable. Being a Regulation, there is no need to transpose it into national law (compared to a Directive). Without any doubt, the GDPR is one of the biggest game changers in the area of data protection within the last decades.
But why is the GDPR relevant for Swiss companies?
Although being an EU Regulation, the GDPR has a significant ex-territorial effect. Companies domiciled in third countries like Switzerland are affected by the GDPR if (a) they are offering goods or services to EU domiciled clients or (b) they are monitoring the behavior of these data subjects.
One the one side, Swiss companies therefore have to carefully analyze whether their business activities are directed to EU domiciled clients. Evidence that an activity is directed to such EU domiciled clients could include amongst others:
· International nature of the activity at issue (e.g. tourist activities)
· Mentioning of telephone numbers with an international code (e.g. on the website)
· Use of a top-level-domain name other than that of the state in which the company is established or use of neutral top-level domains such as “.com” or “.eu”
· Description of itineraries to the place where the company is located (e.g. Google maps)
· Mentioning of an international clientele composed of customers domiciled in various Member States, in particular by presentation of accounts written by such customers.
One the other side, monitoring of behavior for example takes place when natural persons are tracked on the Internet which consists of profiling such person, particularly in order to take decisions or for analyzing or predicting personal preferences, behaviors and attitudes.
So what should Swiss companies do?
In a first step it needs to be clarified whether a company is affected by the far reaching, ex-territorial scope of the GDPR as mentioned above (for most companies, it is very likely that there exist a number of touchpoints). If the result of this analysis is positive, the “processing” of personal data is subject to the requirements of the GDPR. “Processing” is defined very broad and includes the collection, recording, organization, structuring, storage, use or erasure of personal data (just to name a few). Besides that, a representative in the European Union needs to be designated. This person will be addressed in particular by supervisory authorities and data subjects on all issues related to the processing of personal data.
How to ensure compliance with the GDPR as a Swiss company?
In order to achieve GDPR compliance, a systematic approach is required. First and foremost, it is recommended to create a data and process inventory. This means analyzing which entities/departments process what kind of data for what purposes and which software applications are involved in this process.
After that, the relevant data need to be classified to understand the areas which are actually relevant for the GDPR. This allows a de-scoping of non-personal data.
In the next step, a systematic gap and impact assessment needs to be conducted involving all relevant departments of the company. Only by rigorously checking whether the legal requirements of the GDPR are satisfied, potential gaps can be identified and remediated in the next implementation phase.
So – what are you waiting for?
The GDPR is coming. And it will affect a number of Swiss domiciled companies. Fines for violations have been significantly increased (e.g. 4% of the companies worldwide turnover). However, by strategically addressing the GDPR a number of advantages exist. Consistent data will provide improved analytics for strategic decision making. Moreover, by creating a fundamental data and process inventory, future adjustments in the area of data protection laws (e.g. the currently revised Swiss Data Protection Act) can be addressed with greater ease.