The revised Data Protection Act (revFADP) enters into force on September 1, 2023. With the revision, the Data Protection Act (FADP) will be adapted to changing technological and social conditions.
Published in IT-Markt No. 08/2022 by author Thorsten Daniels, Senior Vice President, comforte AG
Strengthening data protection
In particular, the revised Data Protection Act intends to improve the transparency of data processing and strengthen the self-determination of data subjects over their data. The revFADP therefore takes into account technical progress and the requirements of the EU General Data Protection Regulation (GDPR).
Which data records are affected?
Going forward, the revFADP will only govern the data protection of natural persons and no longer the data of legal entities (e.g. categories such as “GmbH”, “AG” and “Verein”). Central to the revised act is personal identifiable information (PII), which can be used to derive the identity of an individual person. The list of particularly sensitive personal data has been expanded to include information concerning ethnicity as well as genetic and biometric data that uniquely identify a natural person.
The act distinguishes between profiling and high-risk profiling. Personal data profiling is the automated processing of data to evaluate certain personal aspects of a natural person. High-risk profiling occurs when personal data is processed automatically, and a combination of data allows essential aspects of an individual’s personality to be assessed. Explicit consent must always be provided in the case of high-risk profiling.
Which data security principles apply?
The first task of the responsible data processor is to ensure that the processing of personal data is lawful. In this context, it is vital to be able to keep an overview of all data records within the company. The revFADP therefore requires that companies maintain a directory of all data processing tasks (“Directory of Data Processing Activities”). This is regarded as a prerequisite for effective data protection.
Furthermore, from the planning phase onward, data processing activities must be organized by the controller in such a way that the data protection provisions, and in particular the processing principles, are adhered to (Privacy by Design). In addition, defaults must be configured to ensure that the processing of personal data is limited to only those activities necessary for the specific purpose unless stipulated otherwise by the data subject (Privacy by Default).
Data records must be destroyed or anonymized if longer needed.
Heavy penalties in the event of a data protection breach
A new feature of the revFADP is that natural persons can be punished with a fine of up to CHF 250,000 for intentional breaches of information and disclosure duties and due diligence obligations.
How data-centric data protection can help
We have only touched upon the data protection requirements of the revFADP here, but it is clear that those companies affected have a lot of work to do. To protect personal data, you need to know what data is available and where it can be found. Then you need to figure out the best way to protect it.
Tokenization is an effective measure to protect personal data. In this case, data (e.g. credit card number, etc.) is substituted with a token. This token has the same format as the original data record and can be used automatically by applications, for example, for data analysis. This approach allows companies to comply with data protection laws and protect themselves against the misuse of data if they are the target of an attack.
Be proactive and rely on expert support
Although the revFADP will not enter into force until 2023, all processors of personal data are required to implement the regulations today. Until the revFADP comes into effect, companies are advised to first carry out an inventory of their data processing activities (personal data) in order to subsequently determine the need for data protection action as part of a gap analysis. Identifying and implementing these measures is a major challenge. There is often a shortage of qualified staff and adequate resources. In collaboration with comforte, DataStore offers expert advice and support for the planning and implementation of data protection projects.
Interested? If you have any questions, please contact:
Peter Mätzler
Senior Business Development Manager
E-Mail: peter.maetzler@datastore.ch