What is the new GDPR?
A quick fact: after four years of preparation and debate, the GDPR was finally approved by the EU Parliament on 14 April 2016. 25 May 2018, is the enforcement date for the new GDPR after a two-year post-approval grace period, and this is the date after which those organizations in non-compliance may face heavy fines. The fines may vary from €10 Million or 2% of the annual worldwide turnover (taking the biggest one), up to €20 Million or 4% of the annual worldwide turnover (again, with the greatest amount taken) for most serious violations.
What GDPR is about and who is concerned?
Basically, GDPR is a set of regulations related to the collection of any kind of personal data of EU citizens, aimed at the transparency and security of all the data collected, stored and transferred. These regulations are related to personal details such as names, addresses, e-mails, etc., as well as the whole range of sensitive information, e.g. religious beliefs, political stance, dietary preferences, etc. The main principle behind the GDPR is transparent data handling, providing users with complete control over the ways their data are collected, stored and used.
As this data is being collected by so many various businesses and services providers in so many industries and fields, starting from your mobile phone company, through any major retailer issuing their loyalty cards and asking you to fill in the application form, it is clear that the purview of GDPR can be so much wider than one might actually think.
Talking about Switzerland, the corresponding document is a Swiss Data Protection Act which is today around 25 years old. Of course, it is going to be updated in terms of the new European GDPR, but this refreshment is not expected before 2019. As GDPR is a European regulation, Switzerland may not feel concerned, but it would actually be a huge mistake. Except Swiss companies offering services in Switzerland and not processing any personal data of individuals of members of the European Union, all other Swiss businesses are now concerned in the way they should perform their data collection, and this may ultimately be the vast majority of companies (SMEs or large groups) of the confederation. In addition, Switzerland is part of this economic area and the harmonization of the rules will certainly be a priority for the confederation when revising the LPD (Data Protection Act), as well as for the cantons for their local legislation. Indeed, and as a reminder, the GDPR is only applicable to companies located in Switzerland in the two following cases:
- When the processing activities are related to the supply of goods or services to persons in the Union, whether or not payment is required from such persons; or
- When the processing activities are related to the monitoring of the behavior of the persons, insofar as it is a behavior that takes place within the Union.
GDPR vs current Swiss regulations
Fortunately, we are not starting from scratch. The current Swiss regulatory framework already defines a number of common concepts and rules which also serve as a basis for the new European regulation.
- The notion of "personal data", even if the GDPR is a little more precise about what it includes (identification number, identifier "online", location, etc.);
- The notion of "sensitive data" when the information collected concerns religious, philosophical and political opinions, privacy, etc.;
- The requirement of data to be collected only for a very specific and clearly defined purpose (proportionality principle);
- The implementation of specific technical and organizational means is required to guarantee the protection of personal data;
- The accuracy of the processed data should be guaranteed by the responsible persons;
- The processing of personal data has to be lawful (governed by laws, or by the consent of the persons to whom the data relate).
In addition, your company may already be subject to the FINMA rules, which are rather strict for the protection of "Customer" data. But note that GDPR is not just about customers: all personal data collected in relation to EU citizens are concerned.
Nevertheless, new rules appear and their subtleties are numerous, but here we will outline only the most impacting changes:
- Obligatory notification: In the case of "personal data leakage", the company has the obligation to notify the supervisory authorities within 72 hours. As Switzerland is not an EU member, the supervisory authority will be the one in the member state of the individual to whom the data relates.
- Designation of a data protection officer with well-defined tasks scope (compliance, documentation, reporting, contacts with the supervisory authority, impact analysis of data processing, etc.).
- Mandatory privacy impact assessment for any mass processing of personal data;
- For companies in non-EU countries, designation of a representative in the Member State of the individuals whose data are collected.
- Protection of privacy by default, and by design: processing tools must provide, from the design stage, mechanisms to limit access to personal data to a minimum, and ensure that these mechanisms are configured to the most restrictive by default.
- Data mobility right: Anyone whose data has been collected may require retrieving it in a single block, in a "structured" format adapted to computer processing; in terms, for example, to be able to transmit it to another entity of his choice.
- Right to be forgotten: any individual whose data has been collected may demand their removal "without delay".
- Explicit Consent: The DPA today provides that if the processing of data is in connection with a contract signed with the individual to whom the data relates, then the processing is lawful. On the other hand, the GDPR provides that consent relating to the processing of personal data must be explicit and distinct from the signature of the contract.
In the succeeding entries, we will summarize the key steps to be taken to ensure that your business is in exact compliance with the new GDPR.