GDPR: answers to the most important questions GDPR: answers to the most important questions

The EU GDPR (General Data Protection Regulation) recently caused a sensation. Most affected Swiss companies have prepared themselves well for the new regulation. GDPR is in force now. What should we expect and what does the new law mean for Swiss companies?

Many Swiss companies had to examine their business activities and decide whether they will fall under the GDPR or not. This required a number of clarifications. International companies were practically all affected, but many local companies concluded that the GDPR does not apply to them. However, some of the marginally affected Swiss companies have decided to establish a GDPR-compliant data protection compliance framework nonetheless as a precaution in view of the upcoming Swiss data protection law because the content of the forthcoming Swiss DPA is essentially the same as that of the GDPR. However, these companies have a bit more time to create a data protection compliance framework.

The GDPR has given rise to a raft of questions, including:

Maturity: How can the GDPR be integrated into a company’s compliance framework? Which non-compliance risks has the company identified and how will it mitigate these? Since the regulation was enacted in May 2016, companies have had to ask themselves these and many other questions making the implementation a mammoth task!

Structure: The demanding practical implementation made it clear that the GDPR was written from the perspective of the data subjects and not from the perspective of the companies concerned. The law foresees the roles of a “data controller” and “data processor”. Companies now have to interpret how the specifications can be implemented in practice. Accordingly, the solutions and thus the current status of compliance of the individual companies vary greatly.

The GDPR compliance framework elements that should be available at least as of today are the following:

• A documented clarification and decision if and in which business areas of the company are subject to the GDPR
• Privacy data governance with clear roles and responsibilities, sometimes with a data protection officer (DPO) where one is required by the GDPR
• A data protection policy adapted to GDPR requirements and a cookie policy
• Adjustment of the contractual regulations with third parties regarding personal data
• A prepared process for the collection, review and, where necessary, reporting of data breaches
• A records of processing for personal data
• Where necessary, the corresponding data protection impact assessments
• Ensuring the respective lawfulness for the legally compliant processing of personal data. Please note that obtaining “consent” is only one of six possible options!
• Processes for fulfilling the obligations towards the data subjects for their data rectification and information requests and their “right to be forgotten” or their demand for data deletion as well as the demand for data minimization
• Establishment and documentation of an adequate level of technical protection to continuously safeguard personal data (e.g. by means of ISO 27001 certification)
• Integration of data protection risks into risk management and development of corresponding controls and documentation for auditing capability

Due to the individual risks associated with each company’s activities, very few companies have by now fully implemented all elements into their operations. However, the core elements, such as policies and processes, should have been established in most cases.

The GDPR concerns the EU, but also has extraterritorial effects. Swiss companies are per se outside the EU and often active outside the EU. In countries such as China and Russia, they encounter local regulations, some of which are diametrically opposed to the GDPR. These companies were therefore forced to create a global mapping of regulations and to work out concepts on how data storage and data exchange can take place despite the partly contradictory regulatory requirements.

In view of the recent events involving Facebook and Cambridge Analytica, we can expect that the USA and other countries will issue GDPR-like regulations in the near future.

The central question for companies is: how will the authorities behave? Will I be controlled? And can I be held accountable by an EU authority?

With the GDPR, the legislator has also put the authorities in a difficult situation, since it gives the authorities considerably more power to control and sanction. However, little thought has been given to the effects and what this will mean for the authorities’ resources.

If all serious and allegedly serious data protection breaches (of which there are likely to be more) were to find their way to the authorities, it would be hopelessly overrun. The EU authorities have in some cases hired hundreds of additional employees, but this is unlikely to be enough to process the expected volume. The high fines signal that the authorities mean business and so it is to be expected that companies will report more breaches than necessary in order to avoid risking a heavy fine.

Recognizing this situation, individual EU authorities have stated that they would not be proactive, at least initially. Nevertheless, they must comply with their legal obligations in the event of actual breaches of data protection laws. Their limited resource situation will therefore force them to prioritize and it is to be expected that at the beginning, the focus will be on the very difficult cases.

In order to be able to handle all other cases, the authorities will have three options:

• Stretch the time to process the cases
• Create alternative and sufficiently efficient processes
• Tasks to third parties (e.g. accredited auditing companies)

There is still some range for companies to implement GDPR measures at the outset. However, if complaints come in, the authority and the company must take action. The minimum readiness listed above is therefore necessary.

Over time, however, the legally possible proactive activities will certainly also take place. It can also be assumed that fines will be a means of financing the many new officials in the future. Therefore, the establishment of a solid data protection compliance framework is indispensable in the long term.

EU authorities operate within the EU. If they want to implement the extraterritorial effects of the GDPR by means of measures taken by them, this would have to take place via corresponding cooperation agreements. It is still unclear how this could happen for an EU regulator wishing to become effective in Switzerland. However, it will certainly be possible to address units of Swiss companies located in the EU.

Initiatives are currently underway by many auditing companies (including KPMG) to obtain accreditation as GDPR certifiers from relevant state authorities. The first suppliers are expected in late summer. From then on it should be possible to obtain GDPR certification.

Given the high financial impact of a fine, most auditors will consider that GDPR non-compliance is a high risk and will propose appropriate audits to those responsible for audits in the respective boards.

It cannot be ruled out that companies may attempt to interfere with competitors by using individual data subjects to claim violations of GDPR by their competitors.

It cannot be excluded that customers or employees will use the rights from the GDPR to take revenge on a company. Companies should therefore prepare themselves by how to deal with such a situation. The so-called “GDPR Nightmare Letter” is already circulating on the net. Even if its content is so hardly demandable, there is a reference to the ideas of such groups.

At the same time, more and more people will learn about their rights through the media, think about them and ask questions.

• With regard to the legacy concerned: analysis of further EU publications on GDPR (Working Party 29) and monitoring developments in various local data protection laws, in particular of course the Swiss Data Protection Act.
• Stress test of the current GDPR Compliance Framework using Use Cases: Is today’s framework able to cover the most likely cases?
• Further expansion of the data protection compliance framework according to the risk and “onion principle”: The data protection law explosive as well as the externally visible should be addressed first. Companies that have not implemented everything should be able to explain how they assessed the situation, how they came to prioritise it. They must also be able to submit a plan showing when and how the individual elements are to be constructed.
• Automation of the data protection compliance framework in such a way that it can be maintained with as few personnel resources as possible. In terms of “lean compliance”, considerable savings can be achieved here.
• Creation of global regulatory maps and definition of an appropriate data model that can deal with these regulations