The new, harmonised EU basic data protection regulation came into force on 24 May 2016 and is to be applied from 24 May 2018 without any further transitional period. All companies operating in the EU, regardless of their registered office, are already subject to the legislation. Legal compliance in Switzerland is already underway. For us, this is a reason to examine the basic data protection regulation in more detail in a series of articles.
Key elements for implementation at company level
Three main measures need to be implemented at company level.
- With very few exceptions, a data protection officer must be appointed. This officer is responsible for informing and advising those responsible, employees and any contract processors about their obligations under data protection law. He must monitor compliance with the specifications and the implementation of relevant measures. He also serves as contact person and coordinator for all inquiries and information flows relating to data protection. The demands placed on this person are very high, as he or she must have comprehensive expertise in the field of data protection. Especially if a company-internal solution is preferred, this could prove to be an obstacle without accompanying measures. This is because there is a considerable risk of liability and fines if the solution is not implemented properly.
- A systematic risk analysis is also required. Most companies will already have a documented risk analysis, especially if their processes are ISO 9001 certified. However, in order to meet the special requirements of data protection, it is also advisable to include the persons for whom data is processed as a separate asset in the risk analysis. This ensures that specific risks are also taken into account and appropriately assessed, which might have little impact on the company itself. On the other hand, it makes sense to document records regarding the various considerations that contribute to a particular assessment of a data protection-relevant risk in order to make this easily comprehensible in terms of the required controllability. Subsequently, appropriate measures to reduce the risks must be defined and implemented.
- There is an obligation to keep a register of processing operations. This must document which data processing operations exist – exclusively with regard to data relating to natural persons. This is a structured register that documents the processing, its purpose, the persons and data concerned, the recipients of data and deletion periods. This measure is comparatively easy to implement – although not necessarily with little effort – as a template can be prepared and filled in.
Processing specific key elements
Once the company-wide foundations have been laid, we can look at the individual processing steps. Four measures are to be observed centrally.
- Before a processing operation goes live, a so-called data protection impact assessment must be carried out if personal data are processed. The data protection impact assessment is in principle nothing more than a more detailed risk analysis relating to this particular processing operation. There are various specifications to be taken into account for this. Analogous to the company-wide risk analysis, it is advisable to keep records of cost/benefit considerations regarding measures that have not been implemented. For example, it can be shown at any time that certain measures have been discussed and the reasons why they were considered unsuitable or disproportionate.
- A suitable security concept must be drawn up. This concept must integrate the measures deemed necessary according to the data protection impact assessment. The security concept can of course be based on any existing, higher-level concepts. It describes the technical and organisational measures to protect the application and data. The important implementation principles such as privacy by default must also be taken into account.
- In most cases outside of public administrations, it can also be assumed that the processing of personal data is based on the explicit consent of the data subjects. Consent management must be established accordingly. In addition to the particularly important consent itself, the various information and disclosure obligations and the data subject’s rights of objection, correction and deletion can also be integrated in this process. Incidentally, consent may be obtained purely electronically, whereby a double opt-in procedure and some logging requirements should be implemented.
- Data protection-compliant agreements must be concluded with suppliers/processors. The key point to note here is that the client cannot transfer responsibility for data protection to the processor. In any case, he remains responsible for the processing of personal data. By means of appropriate contractual clauses, the client must ensure that the processor does not carry out processing in third countries without an adequate level of protection, either himself or through subcontractors. Furthermore, the contract must list the technical and organisational measures to be implemented by the processor and take precautions to enable the data subjects to enforce their rights, such as the right to deletion.
This is the end of our five-part article series. We hope that we have been able to give you an overview and that the one or other piece of information will support you in the legally compliant implementation of digitisation and IT projects.
In a few weeks’ time, the new rules will be taken seriously in the EU. At the same time, the total revision of the Data Protection Act is also underway in Switzerland. Even if some questions have not yet been decided, it can be reliably predicted that in a few months Switzerland will also issue comparable rules in order not to lose the current equivalence of Switzerland in data protection, as confirmed by the EU Commission. This means that even companies that are purely geared to the domestic market will soon be able to benefit from these compliance requirements.
Our series of articles on the topic
- In the lead-in article we drew attention to the need for action.
- In part 1 of the series we introduce the different actors and set the framework.
- In part 2 we highlighted the principles of data protection based on four pillars.
- Part 3 explained the special requirements for processing special categories of personal data and for profiling, which is considered particularly critical.
- Part 4 highlighted legally privileged, desirable processing methods.
- This last part of the series concludes with a framework for the pragmatic and appropriate implementation of data protection in your IT project.
About the author
Stefan Haller is an IT expert specialized in risk management, information security and data protection at linkyard. He supports companies and public authorities in risk analysis in projects, the design and implementation of compliance requirements in software solutions as well as in the creation of IT security and authorization concepts. He is certified in risk management and has carried out numerous security audits based on the ISO standard 27001 as an internal auditor for more than 10 years.
Do you have any questions regarding the implementation in your company? firstname.lastname@example.org | +41 78 746 51 16