“Data protection is not just an IT issue“

When can a company be sure it is doing enough for data protection?

It’s all about data awareness and sensitivity. A company has to know what data it has, where it comes from, what happens to it, where it ends up and when it has to be destroyed, and how. If this awareness and knowledge is present in the company, it has done what is required of it. In addition, the top priority throughout the processing period is confidentiality and secrecy. This runs through to the deletion and legally compliant destruction of personal data..

Where do the risks lurk when dealing with data, and how can they be prevented?

The first misconception about data protection is that this topic is often attributed only to IT. However, IT only accesses digital data and hardly deals with the processes and regulations behind it. In addition, IT has no insight into data processing in other departments, such as HR or Sales. Therefore, the greatest dangers and risks lie, on the one hand, in incorrect placement within the company and, on the other, in the approach of addressing data protection only selectively, instead of focusing on entire data flows. 

What, therefore, is particularly important in digital transformation when it comes to data and secrecy protection?

We can already find solid technical approaches at most companies. What is still most often lacking are organisational and documented process solutions. Data protection is also required in partially automated or non-automated processes – in the handling of paper, for example. This also includes internal confidentiality. After all, data protection also calls for confidentiality and secrecy within a company, not just externally.

How do you solve the issue in a particularly smart way in order to gain further advantages from it?

Data protection solutions can only work in the long term, not as a single measure. These are dynamic, living processes and should be perceived as such. This is not possible without the help of experts with an external view. Tackling the issue professionally offers many added values. For example, data protection ‘forces’ companies to take a closer look, which means that internal processes and procedures can be regularly re-evaluated, e.g. in terms of their necessity and efficiency. This creates a transparent environment and establishes new quality standards, according to which work can then be done. So you could say that the big goal of data protection is to ensure greater reduction and transparency.

The entry into force of the new Swiss Data Protection Act has been pushed back to September 2023. What does this mean for companies and organisations in terms of their implementation project?

First and foremost, this push-back to a later date does, of course, give companies some room to breathe, as they are not required to work to a tight deadline. However, I would be reluctant to stop or pause implementation projects that are already ongoing. We saw such approaches in Europe with the EU GDPR, and it resulted many companies not being ready when the EU GDPR became applicable. Now, of course, the Swiss Data Protection Act is much more pragmatic compared to the EU GDPR. However, companies should not underestimate the possibility that potential technical adjustments in IT applications, such as the implementation of deletion functionalities, might take some time – including on the part of the IT vendor. We are living in an age of increased digitisation – and that also means that data protection is an important building block to consider. So I would rather use this additional time to reprioritise certain elements and to closely consider the impact on the IT landscape of a company.

We often hear the argument that the Data Protection authorities are only targeting big software companies anyway, like Google, Meta, Amazon or Microsoft. What does this mean for smaller companies that do not process such large data quantities?

Well, to a certain extent, there is some truth in this saying. Of course, data protection authorities globally, as well as in Switzerland, only have limited capacity in terms of the amount of inspections they can conduct. And there is, of course, a tendency to focus on the ‘big whales‘. However, data protection should not only be considered from a compliance angle. Whereas product safety was the dominant factor in the industrial age, data protection is a crucial element in the information age. How would you feel if your personal data were exposed in a data breach, and you were not properly informed about it and were unable take any measures to protect yourself further? How would you feel if a company shared your personal data with third parties without informing you or obtaining your prior consent? So, you see, data protection is not only about being compliant with the law. It is also about building trust as a company vis-a-vis your stakeholders, clients and employees. And, last but not least, we also should not forget that data protection and data privacy form an important element under the ‘S‘ of the ESG discussions.