As widely known, the revised Swiss Federal Data Protection Act (revFADP") will enter into force on 1 September 2023, and there will be no grace period. As a result, if you or your organisation process personal data in Switzerland, you have five months to implement the new requirements in your organisation.
Swiss organisations are at different stages of implementing the new requirements. If your organisation has done little to nothing to date, this briefing will guide you on what you really should do now.
PERFORM DATA MAPPING & GAP ANALYSIS
As a starting point, you should review all your data processing activities and, if necessary, perform a comprehensive data mapping exercise with your teams or departments and carry out a gap analysis.
Data mapping reveals your organisation's data flows, including the sources, storage and destinations of personal data. It is a critical component of data protection compliance because it helps your organisation to understand how personal data is collected, processed, and stored and to identify potential privacy risks.
Conducting a gap analysis helps your organisation to assess your level of data protection compliance and to identify any gaps for remediation (e.g., missing documents, processes, training etc.) prior to 1 September 2023 when the revFADP enters into force.
Once you have mapped your data flows and carried out a gap analysis, prioritise the steps you need to take according to your highest exposure or risks. In the following, we have listed important action items according to the level of exposure and risks.
REVIEW DATA PROTECTION ORGANISATION
You should review and, where necessary, adjust your general data protection governance, such as roles and responsibilities regarding data protection within your organisation, structures, policies and processes.
INFORM DATA SUBJECTS
As the responsible organisation, you will now be required to actively inform your clients, employees and other individuals of all processing of their personal data when you collect their data.
You have to inform them appropriately about the collection of personal data; 'appropriately' means that information should be provided in a precise, transparent, comprehensive and easily accessible form.
The information you need to provide is less comprehensive than in the EU (identity of controller, purpose of processing, recipients of data and categories of data). However, contrary to the EU, you must provide a list of recipient countries and, where necessary, guarantees if you transfer data abroad.
In view of the extended duty to inform, you should review and, where necessary, adapt your privacy policies, privacy notices, employee handbooks, general terms and conditions and other means you use to inform individuals of your processing activities.
Exceptions apply, among others, if the individual already has the information (no need to reinform individuals), the information would defeat the purpose of processing (e.g., in connection with ongoing legal proceedings or internal investigations) or the controller is a private person and bound by a legal obligation to secrecy.
To view the full article please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
