Initial situation - what's the point?

On September 1, 2023, the revised Swiss Data Protection Act (DPA) will enter into force without a transition period. The new law is needed to keep up with the required standards of EU countries and not be considered an insecure third country. For the official text of the law, please refer to the Federal Act on Data Protection.

Almost exactly five years ago, the GDPR - the big sister of the DPA, so to speak - came into force and had a big impact on the web. Those who dealt with it back then are now at an advantage. However, DSGVO compliance does not automatically mean that you are completely prepared for September 1. The DPA differs from the GDPR in a number of places and these "Swiss Finishes" have a lot to offer: the new penalty provisions can result in fines of up to 250'000.– in the worst case.

«Are we actually ready?»

This question has probably been doing the rounds in many companies in recent months, and so we also decided to tackle the topic about a year ago and familiarise ourselves with the DPA on the web.

But as is often the case with complex topics, we first encountered many more questions in our search for answers: "Which laws apply to our web application?", "Do we unknowingly pass on data to unsafe third countries?" and "How long is the retention period for our data?", to name just a few examples. Thus, step by step, we have developed an auditing process for web applications, which examines all affected areas for the need for action. The key to this process lies (not entirely unexpectedly) in the data itself and its precise documentation.

Where is my data anyway?

Virtually every production company keeps a meticulous warehouse inventory and precisely checks the inputs and outputs of individual items - there is even specialized software that helps you do just that. And regular checks are made to ensure that what is on the books is actually in the warehouse.

If you now pay the same attention to your data, you are well prepared for many necessary data protection measures. What data is stored where, for how long and for what purpose? And who ensures that the data is correctly archived or deleted after the defined period?

The answers to these questions must be recorded (and regularly reviewed!) in a «directory of processing activities». This is not mandatory for all companies thanks to the SME exemption - but we still recommend it to everyone. We hope that by the end of this blog post, it will be clear why. Because the «Small Data Inventory», as it is sometimes also called, forms the basis for all further steps.

Data economy is sexy

Even better than documenting your data accurately is not collecting unnecessary data in the first place. Every data silo that is not created minimizes the risk of a data breach, and this reduces the damage potential of a data leak. But data thrift is not only trump from a data security perspective: every data point that has to be inventoried, checked and archived means recurring effort. So data economy also makes perfect sense from a business perspective.

Whereas in the past, data was collected in bulk («I'm sure I can calculate something clever from this one day»), today it is important to prevent unused piles of data. After all, lifecycle management of one's data is already a major challenge even with a small amount of data.

The data protection principle «Privacy-by-Default» introduced with the FADP now even legally requires data protection-friendly default settings to be used. But in order to make these settings, you first have to know them: Who knows, for example, how long their Google Analytics data is kept?

More processes?

Another innovation is the extended rights of data subjects. From September 1, customers will be able to ask at any time what data is being stored about them, for what purpose and for how long. According to the FADP, this information must be provided free of charge and in normal cases within 30 days.

In order to be able to process such requests efficiently, it is worthwhile on the one hand to already have a clean data inventory as a basis and on the other hand to define what the internal process for such a request looks like. In addition to data subject rights, there are other areas in which it is worthwhile to review the processes in advance. In particular, these are the data protection impact assessment (DIA) for new projects and the notification of data protection breaches.

If a data breach actually occurs, the Federal Data Protection and Information Commissioner (FDPIC) must be notified as soon as possible. Under certain circumstances, the data subjects may also have to be informed. This may be the case, for example, if all users are to change their password as quickly as possible. If such a case occurs, you are glad if the notification process is already defined and you do not have to worry about it in the middle of the chaos.

Technical homework

In order to keep the probability of a data protection breach as low as possible, it is important to check the current state of the art in addition to all the organizational measures. The data protection regulation "Privacy-by-Design" (data protection through technology) obliges one to ensure that one's web application meets the current security standards.

In addition to classic transport encryption (TLS), there are also a number of options for automatically collecting less of the user's data and eliminating unneeded data sources in the interests of data economy. To do this, it is necessary to check whether the web application passes on data to third parties for processing. Classic examples of such commissioned processing are analytics suites, newsletter tools or the widely used Google ReCaptcha.

Once the existing order processing in the web application has been identified, the corresponding need for action can be evaluated. This starts with informing the user in the privacy policy. Depending on the scope of processing and the target country, an order data processing agreement (DPA) with the third-party provider may also be necessary. And in certain cases, the user's consent must be obtained before the data is transferred. This is referred to as «consent management», which is often solved via a cookie banner. The information in the privacy policy, the required DPA and the cookies used must be updated regularly.

Automate!

What is already certain: If all these measures are to be implemented correctly, a lot of organizational effort will be required. But there is also good news: Much of it can be automated with the right tools. For example, there is a tool that regularly checks existing data transfers to third parties and automatically writes the correct information in the privacy policy and cookie banner.

This kills two birds with one stone: on the one hand, automation ensures that the information is always up to date, and on the other, it saves time that would have to be spent on recurring work. A lot can also be automated in the lifecycle management of data. Automatic deletion after the retention period has expired, anonymization of older data or moving it to the archive are just a few possibilities.

Conclusion

So, to be ready for September 1 and beyond, the following recipe for success can be noted:

1. A clean data inventory lays the foundation for next steps
2. Define internal processes before they are really needed for the first time.
3. Automate recurring tasks as much as possible – know the right tools to use
4. Select a data protection contact in good time
5. Where there is a need for action at all depends heavily on the initial situation and the individual web application - we will be happy to do this work for you as part of our DSG check!

In our DSG Check, we check your web application for DSG compliance and examine the initial situation. The result is a detailed report with concrete recommendations for action. These recommendations are either organizational in nature and can be implemented by you or technical tasks, which we can take over for you. You will also receive instructions and document templates for any organizational recommendations for action.

We are happy to answer your questions, please contact us at.