In the spotlight: Data protection

Why Swiss SMEs have to tackle data protection right now


In the ongoing change to digitise every industry and area of business, the amount of data that needs to be protected is exploding. Governments are responding with new regulations. The EU’s new data protection rules are very restrictive, and Switzerland is following the same path. But most SMEs in this country aren’t even aware that the new regulations affect them directly and that they have to act now. In this article, we take a look at the specific data protection challenges smaller businesses are facing and how they can go about addressing them. The conclusion: data protection has to be firmly on the board’s agenda, even for SMEs, and embedded in every decision the business makes. Compliance comes at a cost, but if it’s implemented properly there’s a substantial business upside.

Yan Borboën

Yan Borboën

Partner, Leader Cybersecurity Romandie

The EU’s new general data protection rules – and those the Swiss government is proposing to stay in line with the rest of Europe – are among the most impactful data protection laws of the last 20 years. They’re also very restrictive – in some respects more so than the FINMA regulations for banks, which focus more on financial and client data. Most small and medium-sized enterprises (SMEs) in this country aren’t aware of this, or that the rules are the same for every company, from large multinational food groups to small domestic construction firms. In other words, the majority of SMEs in Switzerland – experience in the field suggests around 90% − are thoroughly unprepared for what is a very urgent challenge.

Why and how the new EU data protection rules affect Swiss SMEs

Although the new rules can only be enforced in the European Union, any Swiss company that directs goods or services to, or monitors, customers in the EU is affected. Given the complex information flows involved in the digital world, the only realistic way of avoiding problems with data transferred between the EU and Switzerland is for the Swiss government to implement very similar rules. This is precisely what it is doing. To avoid uncertainty, which is bad for business, Switzerland is likely to have the new data protection rules in place by the beginning of 2019.

The biggest difference is, that under the Swiss rules, the fines for violation will be a lot lighter than the EUR 20 million (or 4% of worldwide revenues) upper limit proposed in the EU. However, the maximum penalty of CHF 500,000 proposed by the Swiss government is enough to put most SMEs into financial difficulty. While, as things stand at present, the EU can’t come and impose a fine in Switzerland, as experience shows there are other methods of enforcement, and in the worst case a Swiss SME could feasibly be prevented from doing business in the EU until it has sorted out its data problem.

Why the new requirements are the same for large and small companies but pose very different challenges for SMEs

What many don’t realise is that the new EU rules apply to all companies in all industries, with the same maximum penalties. But while large corporations in highly regulated sectors such as banking and pharma are used to keeping a constant eye out for new regulation and have the experience and resources to deal with the ongoing challenge of compliance, most SMEs do not. They lack a routine for monitoring the regulatory landscape for relevant new developments, and they don’t have the resources to deal with the data protection challenges that arise. Given the urgency created by the new rules, some SMEs are starting to address this compliance gap right now.

What data SMEs have to protect

The new rules address two main categories of data: personal data (the names, addresses, etc., of people such as customers, employees and partners) and sensitive personal data (health, religion, etc.). Data can also be structured (in databases) or unstructured (in shared folders). The first task for SMEs getting to grips with data protection is to classify and understand the data they have, where it’s located, and how they’re handling it. The next step is to understand how to protect it: how to prevent it from being stolen, unlawfully sold to other companies, or used for purposes the data subject (i.e. the customer, business partner or employee) hasn’t consented to.

A thorough look at any company’s data is likely to show that it impacts just about every area of the business. The new rules – notably the right to be forgotten, the requirement to minimise the amount of data held, and the need to perform data impact analysis – potentially affect every company process.

This has implications if you’re running an SME. For example, every time you launch a client campaign, you have to be aware of whether you can use the data gathered for one purpose (e.g. to send a newsletter to a customer) for another (to invite them to a golf event), or whether you need the customer’s consent to do so. You have to pay attention to how you’re presenting the data issue and requests for consent: the wording of the disclaimer on a newsletter, for example, and whether it’s clear to the customer exactly what they’re being asked to agree to.

It boils down to understanding and classifying your ‘crown jewels’ – the precious information you hold that has to be kept safe, as opposed to the data that doesn’t need to be safeguarded. Once you’ve understood that, you’ll know what to protect, and what concrete measures you need to take to do so.

How SMEs can protect their data despite limited resources and experience

The precise measures required to protect data will depend on your company, the industry it operates in, the customers it serves and the places they’re located – as well as on the data the company gathers and how it handles them. As we’ve seen, the only way to be sure of these things is to classify and understand your data – and then analyse the gap between the current state of affairs and the requirements of the new laws.

Security, including the security measures necessary to protect data, is never just a matter of technology. It’s always about technology, processes and people. To deal with the challenges of data protection, your company will need expertise in all these areas. In addition to deciding on the technology (encryption, firewalls, and so on), someone has to define a data privacy framework and coordinate the relevant roles and responsibilities within your organisation. This requires a mixture of law and IT expertise.

A trained data protection officer (DPO) has this combination of skills. While the new Swiss rules won’t contain the concept of a DPO as such, you have to consider a) whether your organisation needs one because of where you do business; b) whether the size and complexity of your business warrants a dedicated DPO; c) how you can draw on existing expertise within your organisation to fulfil this coordination function even if you don’t appoint a dedicated DPO; or d) whether you need help from outside.

Another important factor to consider is the breach management requirement under the EU rules: companies will have to inform the regulator of an incident within 72 hours, meaning they need to be trained and prepared to identify and respond to problems very quickly. It’s important to realise that even if you have only one customer in the EU, you might be affected by the rules.

Whichever solution your organisation opts for, one thing is sure: the more reliant businesses become on data, the more serious the need for qualified data security experts will become.

How SMEs can reframe the cost of compliance as an investment in a successful future

Of course it costs time, money and effort to keep up with these requirements. The good news is that there’s a strong business upside to getting data protection right. First of all, you avoid the risk of a huge fine that could easily jeopardise your business (up to CHF 500,000 in Switzerland; up to EUR 20 million or 4% of worldwide revenues in the EU).

Secondly, it builds vital customer trust. If you launch a digital channel (for example an online store) and there’s a serious breach of security, customers will stop using the service and it will be an expensive failure that damages your image and contributes to a general erosion of confidence in digital. A recent survey of almost 25,000 web users in 24 countries, conducted by Ipsos and the Centre for International Governance Innovation (CIGI) in collaboration with the United Nations Conference on Trade and Development (UNCTAD) and the Internet Society, found that a significant proportion of people who don’t buy online are discouraged by privacy issues. That means there are a lot of customers you can potentially win by building a solid reputation for data protection.

Thirdly, and perhaps most importantly, knowing and understanding your data and how you handle it, gives profound insights into the way your business interacts with its customers (and its employees and suppliers). This will reveal where you have irrelevant data, or where there’s a lack of really useful information. It will help you trim your processes so that they’re more efficient and really add value. And it potentially opens up ways of creating new types of interaction that will make the experience more satisfying for customers and more rewarding for you as a company. In the digital environment this might well be the key to future survival and success.

Are you ready for the new data protection rules?

We’re at your service!

Yan Borboën

Yan Borboën

Partner, Leader Cybersecurity Romandie

+41 58 792 84 59

We would appreciate it if you could take five minutes of your valuable time to answer the questions about “Disclose” so that we can gear its contents even more closely to your needs.
Click here to begin the survey!