12. March 2018

European General Data Protection Regulation – Unnecessary paper tiger or indispensable protection?

The European General Data Protection Regulation (EU-GDPR) has been in force since 26 May 2016 and will have to be implemented by 25 May 2018. Why should this be of any interest to Switzerland?

Switzerland as a federalist, independent and neutral country is accustomed to being asked first before a foreign regulation is adopted – let alone directly implemented. This time, however, is different. In an almost US-American manner, the EU issued a General Data Protection Regulation with extraterritorial effect and granted its own member states hardly any leeway with regard to implementation. What is new is that its applicability is not tied to the location where data are processed or data protection is infringed. It applies to all European citizens – irrespective of where in the world they happen to be.

As a result, as a company collects personal data of European customers, it is subject to the factual and spatial scope of the European General Data Protection Regulation.

What exactly is the EU-GDPR?

The EU-GDPR replaces the European Data Protection Directive 95/46/EC and aims to harmonise data protection law throughout Europe, to preserve and reinforce EU citizens’ data protection and to reconfigure the way in which organisations on EU territory deal with data protection. More detailed information about the EU-GDPR can be found on the website of the Swiss Federal Data Protection and Information Commissioner and the relevant European regulations authorities (e.g. Germany, Austria, Liechtenstein or the UK).

Implementation

Contrary to what one might wish, no best practice recommendation has been made available as yet, most likely because of the lack of experience, court rulings or circulars. What follows is merely an attempt to explain how one could deal with the new legal framework conditions in order to comply with the legal provisions.

First of all, it must be established whether a company will be affected by the EU-GDPR at all. If this is the case, all the relevant information about the new regulation must be collected in order to prepare for implementation. For this purpose, the following questions need to be posed: What does the law look like today? What new provisions will be applicable? What is going to change? What articles of the regulation will concern us? What measures will we have to or be able to take?

In a second step, all the existing internal processes that concern personal data must be examined. These include all the information relating to a particular natural person. As far as possible, potential new processes will also need to be assessed and recorded. The goal is to be able to comply, say, with the reporting obligation in cases of data protection infringements accurately and in time – a 72-hour time limit applies. Another example is the obligation to delete data, i.e. the ‘right to be forgotten’. The information collected about the new regulation and about necessary and possible measures concerning all existing and new processes must then be transposed into an implementation manual, for example, to ensure that all employees will be able to deduce possible obligations and measures for themselves or their field of work. This manual can also become part of in-house quality management, the implementation of which is secured by means of monitoring mechanisms. Any processing of personal data must be documented and is within one specific person’s scope of responsibility. All this information can be set down in this implementation manual in tabular form.

To ensure that the whole team and the whole company are up to date, training sessions will have to be conducted in which the manual is presented and its application is explained.

What measures can be taken immediately?

Besides the documents and training sessions mentioned earlier, additional measures must be taken. It is of central importance, for instance, that existing data are analysed. In other words, companies must ensure that personal data are only recorded for a specific purpose and with the affected person’s consent. The magic word here is minimalism. Only the data that are really necessary may be collected. Information that goes beyond this should not be requested.

Provided that a company is subject to these legal provisions, it will also have to appoint an in-house data protection officer and possibly even a European data protection representative. The former should operate as a competence centre within the company, monitor whether data are processed in line with regulations and serve as a contact point in cases of uncertainty. The latter should be the contact point for European authorities that want to contact the company. This position need only be filled if the company does not have a European branch office or subsidiary and thus lacks a contact point on EU territory.

What happens in cases of non-compliance with the EU-GDPR?

The new sanctions are harsh and incisive; after all, there is the threat of fines of up to EUR 20m or 4% of the company’s global annual turnover, with the higher (!) amount being applied. Moreover, the company concerned runs a massive risk of reputational damage.

What the implementation and enforcement of this European regulation will look like in detail will first have to be clarified through precedents. In certain circumstances, Swiss authorities may well have to provide administrative assistance.

Possible further measures

Further possible measures to be considered might include the pseudonymisation and encryption of data, particularly if they are especially worthy of protection. Furthermore, the confidentiality, integrity, availability and robustness of data and data processing in a company must be guaranteed, for instance by means of systematic access and virus protection. For these measures to remain current at all times, it is necessary that the effectiveness of these measures is checked, measured and assessed. The frequency of these checks and the scope of the protection measures depend on the sensitivity of the data and require case-to-case assessment.

Final consideration

To conclude, it must be noted that digitisation creates many new dangers, and opportunities for the abuse of data. It is therefore important that everyone is protected, sometimes also from themselves. It happens surprisingly frequently that the persons concerned are not sufficiently able to appreciate the extent and the dangers of authorised provision or release of their data over the internet. Nonetheless, it appears to me that with the red tape caused by the new European solution overshoots the mark somewhat – particularly with regard to the excessive fines. It will be exciting to see how the Swiss legislators will deal with this challenge and how much of the EU-GDPR provisions will find their way into the CH Federal Act on Data Protection that is currently under review.

 

Picture: Istockphotos

 

Don't miss our updates

Don't miss our updates - sign up to our weekly newsletter.

Please wait...

Thank you for signing up to our updates!

About the author
Sabrina Weiss Sabrina Weiss has been a research assistant at the Executive School of Management, Technology and Law (ES-HSG) since April 2017. In her function, she is responsible for establishing the Competence Center Law & Management and supports various projects of Prof. Dr. Leo Staub and Prof. Dr. Bruno Mascello.