What actions should I take to be compliant with nFADP?
Actions to comply with the new law should be taken on all corporate levels, ranging from communication, organization, legal and technical measures to processes.
Here are our specific recommendations:
- Understand the law: Thoroughly study the new data protection law to gain a clear understanding of its requirements, scope, and any specific obligations it imposes. Make sure to involve all your stakeholders.
- Appoint a data protection officer: In contrast to GDPR it is not mandatory to designate a DPO with the Swiss FADP. However, it is highly recommended to ensure compliance with data protection regulations and provide a point of contact for data protection authorities.
- Train employees on data protection: Provide training to employees to raise awareness about the new law, their responsibilities, and best practices for handling personal data.
- Create a data processing register: This register serves as a central repository of information about your organization's data processing activities. It provides you with a comprehensive view of the data flows, systems, and processes involved in handling personal data.
This enables effective data governance by allowing you to identify potential risks, assess compliance, conduct data protection impact assessments (DPIA) and implement appropriate safeguards and controls to protect personal data.
«A Data Protection Officer is crucial: A DPO assumes overall responsibility, implements data protection measures and acts as point of contact for authorities.»
- Update privacy policies and notices: Review and update your privacy policies and notices to reflect the changes in the law. Ensure that they provide clear and transparent information about how your organization collects, uses, and shares personal data.
- Review and update data processing agreements: If your organization shares personal data with third-party processors, review and update your data processing agreements to align them with the new requirements. Ensure that these agreements include the necessary data protection clauses and address the responsibilities of each party.
- Review data transfer mechanisms: Assess the mechanisms your organization uses to transfer personal data outside of Switzerland, such as standard contractual clauses or binding corporate rules. Ensure that the chosen mechanisms comply with the new law's requirements for international data transfers.
- Obtain the necessary consents: Review your consent mechanisms and ensure that they meet the enhanced consent requirements under the new law. If needed, obtain fresh consent from individuals.
«A security training will enable your employees to recognize threats like a phishing attempt and to appropriately handle the situation – which significantly reduces the risk of a successful attack.»
- Assess and enhance data security measures: Thoroughly analyze your organization's data security measures. Implement appropriate technical and organizational measures to safeguard personal data, such as encryption, access controls, and regular security audits.
Processes – define, implement and test at least the following ones:
- Data subject rights: Establish a process to handle data subject rights requests promptly and effectively. Develop procedures for verifying identities, and document all the actions taken.
- Data breach response plan: Develop or update your data breach response plan to align with the new law's requirements. Clearly define the steps to be taken in the event of a data breach, including incident reporting, assessment, mitigation, and communication procedures. According to Swiss FADP, you have to report data breaches to the FDPIC as soon as possible. To do so, you can use the FDPIC online service here: Online service for data breach reporting (art. 24 FADP)
- Minimization of data: Holding on to personal data for longer than necessary increases the risk of unauthorized access, misuse, or data breaches. By implementing a data retention process, you can systematically review and delete or anonymize data that is no longer required, minimizing the amount of personal data your organization retains.
On September 1, 2023, the new data protection law came into effect.
Data protection compliance is not only a seal of quality, but also a protection against financial losses, loss of trust and reputational damage.