In the spotlight: Data protection
Reading time: minutes
Partner, Leader Cybersecurity Romandie
The EU’s new general data protection rules – and those the Swiss government is proposing to stay in line with the rest of Europe – are among the most impactful data protection laws of the last 20 years. They’re also very restrictive – in some respects more so than the FINMA regulations for banks, which focus more on financial and client data. Most small and medium-sized enterprises (SMEs) in this country aren’t aware of this, or that the rules are the same for every company, from large multinational food groups to small domestic construction firms. In other words, the majority of SMEs in Switzerland – experience in the field suggests around 90% − are thoroughly unprepared for what is a very urgent challenge.
Although the new rules can only be enforced in the European Union, any Swiss company that directs goods or services to, or monitors, customers in the EU is affected. Given the complex information flows involved in the digital world, the only realistic way of avoiding problems with data transferred between the EU and Switzerland is for the Swiss government to implement very similar rules. This is precisely what it is doing. To avoid uncertainty, which is bad for business, Switzerland is likely to have the new data protection rules in place by the beginning of 2019.
The biggest difference is, that under the Swiss rules, the fines for violation will be a lot lighter than the EUR 20 million (or 4% of worldwide revenues) upper limit proposed in the EU. However, the maximum penalty of CHF 500,000 proposed by the Swiss government is enough to put most SMEs into financial difficulty. While, as things stand at present, the EU can’t come and impose a fine in Switzerland, as experience shows there are other methods of enforcement, and in the worst case a Swiss SME could feasibly be prevented from doing business in the EU until it has sorted out its data problem.
What many don’t realise is that the new EU rules apply to all companies in all industries, with the same maximum penalties. But while large corporations in highly regulated sectors such as banking and pharma are used to keeping a constant eye out for new regulation and have the experience and resources to deal with the ongoing challenge of compliance, most SMEs do not. They lack a routine for monitoring the regulatory landscape for relevant new developments, and they don’t have the resources to deal with the data protection challenges that arise. Given the urgency created by the new rules, some SMEs are starting to address this compliance gap right now.
The new rules address two main categories of data: personal data (the names, addresses, etc., of people such as customers, employees and partners) and sensitive personal data (health, religion, etc.). Data can also be structured (in databases) or unstructured (in shared folders). The first task for SMEs getting to grips with data protection is to classify and understand the data they have, where it’s located, and how they’re handling it. The next step is to understand how to protect it: how to prevent it from being stolen, unlawfully sold to other companies, or used for purposes the data subject (i.e. the customer, business partner or employee) hasn’t consented to.
A thorough look at any company’s data is likely to show that it impacts just about every area of the business. The new rules – notably the right to be forgotten, the requirement to minimise the amount of data held, and the need to perform data impact analysis – potentially affect every company process.
This has implications if you’re running an SME. For example, every time you launch a client campaign, you have to be aware of whether you can use the data gathered for one purpose (e.g. to send a newsletter to a customer) for another (to invite them to a golf event), or whether you need the customer’s consent to do so. You have to pay attention to how you’re presenting the data issue and requests for consent: the wording of the disclaimer on a newsletter, for example, and whether it’s clear to the customer exactly what they’re being asked to agree to.
It boils down to understanding and classifying your ‘crown jewels’ – the precious information you hold that has to be kept safe, as opposed to the data that doesn’t need to be safeguarded. Once you’ve understood that, you’ll know what to protect, and what concrete measures you need to take to do so.
The precise measures required to protect data will depend on your company, the industry it operates in, the customers it serves and the places they’re located – as well as on the data the company gathers and how it handles them. As we’ve seen, the only way to be sure of these things is to classify and understand your data – and then analyse the gap between the current state of affairs and the requirements of the new laws.
Security, including the security measures necessary to protect data, is never just a matter of technology. It’s always about technology, processes and people. To deal with the challenges of data protection, your company will need expertise in all these areas. In addition to deciding on the technology (encryption, firewalls, and so on), someone has to define a data privacy framework and coordinate the relevant roles and responsibilities within your organisation. This requires a mixture of law and IT expertise.
A trained data protection officer (DPO) has this combination of skills. While the new Swiss rules won’t contain the concept of a DPO as such, you have to consider a) whether your organisation needs one because of where you do business; b) whether the size and complexity of your business warrants a dedicated DPO; c) how you can draw on existing expertise within your organisation to fulfil this coordination function even if you don’t appoint a dedicated DPO; or d) whether you need help from outside.
Another important factor to consider is the breach management requirement under the EU rules: companies will have to inform the regulator of an incident within 72 hours, meaning they need to be trained and prepared to identify and respond to problems very quickly. It’s important to realise that even if you have only one customer in the EU, you might be affected by the rules.
Whichever solution your organisation opts for, one thing is sure: the more reliant businesses become on data, the more serious the need for qualified data security experts will become.
Of course it costs time, money and effort to keep up with these requirements. The good news is that there’s a strong business upside to getting data protection right. First of all, you avoid the risk of a huge fine that could easily jeopardise your business (up to CHF 500,000 in Switzerland; up to EUR 20 million or 4% of worldwide revenues in the EU).
Secondly, it builds vital customer trust. If you launch a digital channel (for example an online store) and there’s a serious breach of security, customers will stop using the service and it will be an expensive failure that damages your image and contributes to a general erosion of confidence in digital. A recent survey of almost 25,000 web users in 24 countries, conducted by Ipsos and the Centre for International Governance Innovation (CIGI) in collaboration with the United Nations Conference on Trade and Development (UNCTAD) and the Internet Society, found that a significant proportion of people who don’t buy online are discouraged by privacy issues. That means there are a lot of customers you can potentially win by building a solid reputation for data protection.
Thirdly, and perhaps most importantly, knowing and understanding your data and how you handle it, gives profound insights into the way your business interacts with its customers (and its employees and suppliers). This will reveal where you have irrelevant data, or where there’s a lack of really useful information. It will help you trim your processes so that they’re more efficient and really add value. And it potentially opens up ways of creating new types of interaction that will make the experience more satisfying for customers and more rewarding for you as a company. In the digital environment this might well be the key to future survival and success.
Are you ready for the new data protection rules?