Version 1.01 Version 1.01

GDPR: Opportunities and Challenges for Swiss Companies

David Rosenthal

RSA SecurID Suite and GDPR Roadshow

January 16-18, 2018

Version 1.01

Are we facing a Tsunami?

2January 16-18, 2018

Version 1.01

Three new regulations …

EU General Data Protection Regulation (GDPR)

In force as of May 25, 2018

Provides for fines for companies of 2% (or EUR 10 Mio.) and 4% (or EUR 20 Mio.) of the

worldwide turnover, respectively

Intended to apply also outside the EU (and EEA)

Will soon be followed by the revised EU ePrivacy Regulation

Applies outside the EU, too, and provides for the same fines as the GDPR

Swiss Data Protection Act (DPA)

Overall revision along the same lines as the GDPR, hopefully without "Swiss Finishes"

Deliberations in parliament already underway (see: https://goo.gl/QMZxu9)

Likely to become law in 2019, with a transitional period of two years

Provides for fines for responsible individuals of up to CHF 250'000

3January 16-18, 2018

Version 1.01

How well prepared are you?

Some questions for companies …

State-of-the-art data security?

All data processing activities on record?

Data protection compliance fully documented?

Unused data is deleted and all other processing

principles are complied with, as well?

Data protection responsibilities are defined?

Data protection is clearly regulated?

All employees are trained, regular audits take place?

Data agreements with providers, partners, etc.?

Data subjects are provided with full information?

Procedures for all data subject rights, privacy impact

assessments, data breach notifications?

Some questions for service providers …

State-of-the-art data security?

All data breaches reported immediately?

Transfers to "unsafe" countries and to subcontractors

governed by contracts?

There are data protection contract with all clients?

All customers are supported in connection with data

subject requests and privacy impact assessments?

There is a record of data processing of all clients?

All customers can veto on subprocessors?

You have a data protection officer?

Who complies with everything? Nobody!

4January 16-18, 2018

Version 1.01

Who has which obligations?

Obligation pursuant to the GDPR (as of May 2018) and DPA (as of 2019-2021) Controller Processor

Transparency, information of data subjects, purpose of use limitation

Proportionality (including data minimization, length of record retention)

Legal basis pursuant to GDPR, sufficient justification pursuant to DPA

Correctness of data

Data security

Accountability re compliance with requirements

Preprequisites for transfers abroad

Compliance with data subject rights (right of access, deletion, objection, etc.) Support

Privacy by Default, Privacy by Design

Performance of data protection impact assessments Support

Obligations concerning delegation of data processing (contract, etc.)

Data breach notifications

Data protection officer pursuant to the GDPR

Records of data processing activities

Cooperation with supervisory authorities

Controller = the party

in charge of controlling

the processing of the

data; the data "owner"

Processor = the party

processing data for a

controller under a

mandate of such

controller (e.g., an

outsourcing provider)

5January 16-18, 2018

Version 1.01

GDPR: Applicable to whom?

Companies with an establishment

(also) in the EU

GDPR directly applicable

Also applies to Swiss companies

(e.g., with a EU branch office)

Companies in Switzerland that clearly

intend to offer products or services to

individuals in the EU

GDPR directly applicable

Companies in Switzerland that monitor

the behavior of individuals in the EU

GDPR directly applicable

Companies in Switzerland that have

their data processed by a provider in

the EU (e.g., cloud)

Companies are not subject to the

GDPR but will have to be obliged by

a contract to comply (unclear)

GDPR directly applicable to the

provider

Providers in Switzerland that process

data for companies in the EU

Swiss providers will only be

contractually obliged to comply with

the GDPR (unclear)

6January 16-18, 2018

Version 1.01

GDPR: What will change?

It is no longer sufficient to be transparent when collecting data, it now becomes necessary to

provide data subjects with a whole list of mandatory information

Each and any data processing activity of a company must be recorded in an inventory

Obligation to perform data protection impact assessments that in part have to be notified

Obligation to notify data breaches to supervisory authorities and data subjects

Rules for default data processing settings ("Privacy by Default")

Right to human intervention with automated individual decisions that have significant effects

Supervisory authorities with new powers to sanction and intervene and obligations to investigate

Consent has to be obtained separately, not as part of general terms and conditions and without

pre-ticked boxed, but with clear information on the right to withdraw at any time

Service users have a right to get a copy of all data established about them ("data portability")

Obligation to nominate a data protection officer and a representative within the EU

GDPR and DPA

GDPR only

7January 16-18, 2018

Version 1.01

GDPR: What will not change?

A lot will in principle remain as it is

What is in scope, which is personal data, i.e. any

information that relates to an identified or identifiable

individual

How personal data may be processed, e.g., the

principle of data minimization, transparency, purpose

of use limitation and correctness of data

Requirements in terms of data security

Requirement of a legal basis such as a contract,

consent, legal obligation or legitimate interests

Data subject rights, such as the right of access,

right to correct and object, right to be forgotten

Provisions on the transfer abroad, in particular into

countries without an adequate level of data protection

But:

Violations are sanctioned tougher

Burden of proof is (more clearly) upon the controller

of a data processing activity ("accountability")

Requirements in terms of documentation and other

aspects of governance have increased massively

Expections of the supervisory authorities on the rise

Example

Data has to be pseudonymized as soon as possible

and later on also deleted or anonymized

Many companies do not manage disposal of data

Pseudonymization is even less common

8January 16-18, 2018

Version 1.01

New buzzword "Privacy by Design"

All clear?Simpler: Art. 7 para. 1 DPA (today)

Art. 25 GDPR

9January 16-18, 2018

Version 1.01

New requirements for contracts with processors

Data processing only for the purposes of the customer

Data processing only upon instruction of the customer

Provider has to ensure adequate data security

No subprocessing without veto right for, or other consent by, the customer

No data exports without instruction or consent by the customer

Employees must be bound to confidentiality

Return and deletion of data following the end of the mandate

Support of the customer when complying with data subject rights

Support of the customer when complying with his obligation to notify data

breaches and undertaking data protection impact assessments

Evidence on compliance with requirements, support of audits by customer

Warnings if provider can't comply due to own legal obligations

Under the GDPR, this

now has to be included in

the provider contract, too

10January 16-18, 2018

Version 1.01

New obligation to notify "data breaches"

Data breaches that impact the ability to control data or its integrity have to be recorded and – if

consequences are possible for data subjects – notified to the supervisory authority within 72

hours

What has happened? Who is affected? Consequences? Measures? Contact?

Hacking, data loss, misdirected e-mails, access by unauthorized employees, etc., but not an

excessive processing of personal data

Intangigble consequences are sufficient (e.g., loss of control over data)

If there is a high risk of consequences, there is also an obligation to inform the data subjects

Not necessary in case of measures that prevent access by third parties (e.g., encryption of

data) or have in all likelihood eliminated the risk

If informing the data subjects involves disproportionate efforts: A public communication or

similar measure provided data subjects are informed in an "equally effective" manner

Switzerland: Similar, but less strict notification obligations are planned; they have no sanctions

11January 16-18, 2018

Version 1.01

What companies should do

Set up a data protection compliance organization

An official data protection officer is often not needed

Clarify your strategy in relation to the GDPR

Will the company be subject to the GDPR? Does it

make sense to comply with it voluntarily?

Analyse data processing activities, take record of them,

assess and document compliance

Describe data processing activities, collect contracts,

etc. also applies to mere data processors

Compliance Check: Are the requirements of the

GDPR complied with? Which measures are

necessary? Priorities? Document compliance

Assess the processing of data as a whole ("how to

slice the elephant"), risk-based approach

Develop mandatory information for data subjects

Adapt consent declarations and terms & conditions

Verify or enter into GDPR-compliant contracts with third

parties

Groups: Intra Group Data Transfer Agreement

Customers, processors, suppliers, other partners

Adapt internal procedures and, where necessary,

internal systems

For data security, anonymization and disposal of

data, data subject rights, automated decisions, data

breach notifications, data protection impact

assessments

Have in place guidelines, trainings and audits

12January 16-18, 2018

Version 1.01

Conclusion

GDPR means more documentation, more bureaucracy and more pressure to do it right

The principles of how to process personal data do not really change

Outsourcing, including to the cloud, remains possible without any unsolvable problems

Systems have to be adapted to comply with data protection (information obligations, right to

give selective consent, right to object and correction, disposal of data no longer needed, etc.)

Chances are that what the GDPR requires you to do you will have to do also under Swiss law

Sanctions provide for management attention, but should not be at the focus

At least in Switzerland they will be the exception

Companies in Switzerland will primarily focus on the Swiss supervisory authority

Nobody fully complies with data protection; therefore, act in a "risk based" manner

Providers: Approach your customers, adapt your contracts, explain them how you will comply

with the requirements of the GDPR and the revised Swiss DPA

Do your homework in terms of documentation

13January 16-18, 2018

Version 1.01

And the opportunities?

Opportunity to sell more products and services

Information security, data tools, management and legal advice, project management, etc.

Opportunity to create new, interesting and safe job positions

Data protection officer

Opportunity to get management attention

Data protection has become a board level topic

Opportunity to better understand the data universe of a company, to better manage and in the

end also to better exploit it

Far beyond data protection

Opportunity for a company to better market itself

Being an attractive provider due to a high level of data protection compliance

14January 16-18, 2018

Version 1.01 Version 1.01

I am looking forward to May 25, 2018 …

lic. iur. David Rosenthal

david.rosenthal@homburger.ch

T +41 43 222 16 69

www.homburger.ch

Homburger AG │ Prime Tower │ Hardstrasse 201 │ CH-8005 Zürich