How to prepare for the implementation of the revised FADP

Philipp Rosenauer
Partner Legal, PwC Switzerland

The revised Swiss Federal Act on Data Protection (revFADP) is expected to enter into force in September 2023. Until then, it is advisable to prepare for the sudden change in legislation to avoid facing unwanted consequences. Thus, you should start your implementation process of the new data protection regulation early.

Maintaining an overview may prove difficult and requires thorough attention. Our services will help you achieve compliance with the revFADP.

What are the most important steps to guarantee successful implementation?

It is crucial to follow clear pre-determined steps and consider industry-specific factors. Even if you already comply with General Data Protection Regulation (GDPR), you will need to adapt your processes, guidelines, documentations etc. 

Which steps must be performed to attain compliance with revFADP?

In order to get a better overview, we have summarised below some of the most important steps.

1. Adapting your guidelines, directives, work instructions, checklists

  • Data protection policy, data protection impact assessment, project management, data management, process management
  • Provision of data protection declarations for customers, employees and applicants, adaptation of various terms of use
  • Adaptation of customer contracts and forms for new customers
  • Greater involvement of management in data protection matters

2. Establish a clear governance: tasks, competencies, responsibilities

  • Designation of a Data Protection Advisor (DPA) (in principle optional for private businesses)
  • Establishment of clear tasks, competences, and responsibilities for the Data Protection Advisor
  • Establishment of the Data Owner
  • Regulation of cooperation between the main stakeholders, e.g., the DPA, Legal, IT

3. Integrate data protection requirements into your processes

  • Creation of a list of processing activities
  • Development of deletion rules and a deletion concept (Data Retention Policy)
  • Implementation of the deletion functionality in IT applications
  • Implementation of data protection impact assessment process, checklists, and initial review of all currently running projects (Privacy by design/by default)
  • Verification and adaptation of reporting concept vis-à-vis clients and authorities
  • Establishment of processes to enforce the following data subject rights: periodic deletion, receipt of data protection requests, requests for deletion, requests for information, objection/requests for restriction of processing
  • Implementation of a concept for consent management as well as obtaining consent for the processing of personal data (if required)

4. Provide education, awareness raising, training and information

  • Coordinated training (depending on the addressee) and ongoing information for employees
  • Personal training for management levels
  • Continuous updating of the intranet site of the DPA
  • Sensitisation of the Business/First Line of Defence, especially in connection with new projects and the analysis of large amounts of data (Big Data Analytics, creation of personality profiles)
  • Preparation of checklists/leaflets/guidelines for data protection sensitive areas (e.g., exchange of personal data with third parties or cross-border data exchange)

5. Select and monitor third party providers and processors

  • Current list of all external processors
  • Conclusion of data processing agreements
  • Regular audit of external processors
  • Ensuring transparency across all subcontractors and enforcement of data protection standards
  • Regular information of the data protection authority regarding the results of the annual review of processors
  • Adaptation of non-disclosure agreements, contract templates

6. Set up a comprehensive control system (incl. reporting, audit, measures)

  • Regular reporting by the DPA to the MB
  • Establishment of a uniform Group-wide reporting structure and a standardised set of KPIs/KRIs covering all data protection aspects
  • Establishment of a standardised audit scheme and coordination of audit plans with related functions (e.g. Internal Audit, Legal Compliance, etc.)
  • Risk-based examination of projects regarding the adherence to data protection laws on the part of the Data Protection Advisor
  • Central register for major incidents (e.g. data protection breaches)

How long does the implementation process take?

A successful integration of data privacy compliance is not a precision landing directly at 100 per cent at a pre-determined date. In fact, the implementation takes time, which allows for continuous improvements. 

Do you have any questions?