What are the basics of data security under the revised Federal Data Protection Act?

Philipp Rosenauer
Partner Legal, PwC Switzerland

The importance of data security is constantly increasing. Companies holding back on digitisation today will have an increasingly difficult time in the years to come. It is important that companies know their data flows and can protect them. Data management should be continuously analysed and the processes should be adjusted accordingly. Data security risks must also be documented and managed. However, this alone is not enough: the company is not only responsible for taking the necessary data security precautions, but also for ensuring that employees are trained and informed in this area. The human is the weakest link in data security.

What does a functioning data security process require?

To guarantee data security, it is necessary to ensure that control mechanisms are correctly implemented in the business processes. It is worth investing more time, budget, and effort in proper data security, even if the benefits are not immediately apparent. We often hear that it’s not a matter of if an attack will take place, but when. Because of this, various areas must be included – meaning that it is not only purely technical hazards that need to be managed. Physical measures, such as access controls in buildings, also play a key role in data security.

In general, the relevant controls depend on the company and its processes. Typical controls are access controls, data carrier controls and storage controls. Additionally, frameworks and standards such as those issued by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO) should be considered when enforcing data security within your company.

What’s the difference between data protection and data security?

The General Data Protection Regulation (GDPR) and the revised FADP require that data security is ensured. It important to mention that data protection and data security are not synonyms. Data security protects data by ensuring confidentiality, integrity, and availability. Data protection, on the other hand, protects the individual whose data are being processed by defining the conditions for the processing and who can access the data. Consequently, data security is essential in order to guarantee data protection. To look at it another way, it is of little use to process data according to the laws and regulations if you keep them in an unsafe place where anyone can access them with ease.

What steps should your company take to mitigate the risks?

  • Data security must be continuously adapted to prevent cybercrime. Cybercriminals’ tactics are rapidly evolving. Besides technical controls like pen testing, technical solutions such as threat intelligence software should be implemented.
  • Make sure that your employees access information only according to the need-to-know principle, meaning that they only access the information they require for their work. Remember that threats do not only come from the outside, but also from inside your organisation.
  • With regard to company devices, it is important that data are backed up with a strong password. Ideally, remote deletion should be implemented by a security app in the event of theft.
  • Enforce a clean desk policy. When employees leave their workplace, they must ensure that no personal or business data can be accessed by unauthorised persons by storing computers and documents safely.
  • You should conduct regular phishing campaigns internally and assess the statistics. How many employees click on the malicious mail? Provide them with a training session if necessary.
  • Regular crisis simulations help train employees for emergency scenarios. It is therefore essential to have reliable business continuity management and disaster recovery management plans in place.
  • Most importantly, as humans are the most vulnerable part of the chain, employees must receive regular training. The best architecture and measures are worthless if your employees do not act according to the internal policies.

#social#

Do you have any questions?

https://pages.pwc.ch/core-contact-page?form_id=7014L000000kkHMQAY&embed=true&lang=en