As digitalisation progresses, a growing volume of data that can be misused for, among other things, criminal enterprises such as targeted cyber attacks is being produced. Consequently, protecting data is becoming ever more important. Data protection revolves around personal privacy and protecting data is the corresponding tool for doing so.
Cybersecurity and data protection go hand in hand. For example, unless adequate security measures are in place, unauthorised individuals can gain access to computer systems and data in such a way that data protection is no longer guaranteed. Regarding cybersecurity as part of data protection is therefore crucial.
Swiss data processors are subject to the following legislation:
The new Swiss Data Protection Act (revFADP): The National Council and Council of States approved the fully revised FADP during the autumn parliamentary session, and it came into force in September 2023 (the previous FADP had been in force since 1992). Full revision was necessitated firstly by the need to adapt the legislation to modern data processing methods, and secondly by the need to align Swiss legislation with the European GDPR, which has been in force since May 2018, so as to ensure equivalent and comparable data protection law.
The EU General Data Protection Regulation (GDPR): The GDPR defines data processors’ due diligence obligations and affects Swiss companies that market goods or services in the European Economic Area (EEA).
There is considerable global flux in the data protection regulation environment, with many countries following either an approach comparable to the GDPR or an approach based on US legislation, which focuses on cybersecurity.
The three key aspects of data protection – confidentiality, integrity and availability – must be guaranteed. The aim of compliance with data protection requirements is thus to give data subjects partial control over and access to their own personal data while at the same time protecting that data against unjustified access (confidentiality) or unauthorised or unintentional change (integrity). At the same time, data must be accessible to the authorised user when needed (availability).
Simply complying with these three key aspects of data protection is a challenge for many companies. However, the biggest difficulty lies in controlling data flow, in data processing and in retaining an implicit or explicit purpose limitation for data use once the data has been released. The ability to subsequently analyse data flows and manipulations is therefore key, as are transparent, non-manipulable responsibilities. From a technical point of view, the issue of ensuring systematic control and traceability of data flows and the processing of personal data across several organisations or stages has been at most only partially resolved.
Data that by law can only be used in non-attributable form has to be anonymised or pseudonymised prior to use. However, these techniques for disguising personal data are not commonplace and the well-known methods do not always adequately protect data confidentiality or integrity.
Although there is a legislative framework for data use, effective and efficient implementation is challenging. The price of inadequate data management is paid whenever a new technology, new regulations or new requirements are introduced, whether as applications of artificial intelligence, new cybersecurity frameworks or similar. It is therefore worthwhile creating an appropriate, risk-based foundation for data protection.
This applies to all sectors and to companies of all sizes. Data-processing organisations should operate suitable, systematic information security and data stream management systems (ISMS and DSMS) as a structural and procedural basis for implementing data protection.
The systematic control and traceability of data processing and data flows is an area that requires further research and development work.
To ensure long-term compliance with Swiss and EU data protection legislation, minimum standards and good practices must be defined for anonymisation and pseudonymisation and continually updated in line with progress in analytical methods and solutions.
Intercantonal harmonisation of data protection should be encouraged.
The Confederation should set up research programmes investigating the systematic control and traceability of data processing and data flows (e.g. through the SNSF).
Organisations that process data should implement and maintain appropriate, risk-based basic data protection in the form of suitable, structured information security and data stream management systems (ISMS and DSMS).
The Federal Data Protection and Information Commissioner (FDPIC) should define and continuously update minimum standards and good practices for data anonymisation and pseudonymisation.
Swiss FADP: https://www.fedlex.admin.ch/eli/cc/1993/1945_1945_1945/en
Swiss OFADP: https://www.fedlex.admin.ch/eli/cc/1993/1962_1962_1962/en
Swiss DPCO: https://www.fedlex.admin.ch/eli/cc/2007/701/en
Canton of Zurich’s DPO: http://dsb.zh.ch
Swiss FDPIC: https://www.edoeb.admin.ch/edoeb/en/home.html
GDPR: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02016R0679-20160504
Anonymisation/pseudonymisation: How current data anonymisation methods fail: http://www.heise.de/-4624450
Data anonymisation has few benefits: http://www.heise.de/-4479968
Umberto Annino, Microsoft | Matthias Bossardt, KPMG | Martin Leuthold, Switch | Andreas Wespi, IBM Research
Endre Bangerter, BFH | Alain Beuchat, Banque Lombard Odier & Cie SA | | Daniel Caduff, AWS | Adolf Doerig, Doerig & Partner | Stefan Frei, ETH Zürich | Roger Halbheer, Microsoft | Katja Dörlemann, Switch | Pascal Lamia, BACS | Hannes Lubich, Verwaltungsrat und Berater | Luka Malisa, SIX Digital Exchange | Adrian Perrig, ETH Zürich | Raphael Reischuk, Zühlke Engineering AG | Ruedi Rytz, BACS | Riccardo Sibilia, VBS | Bernhard Tellenbach, armasuisse | Daniel Walther, Swatch Group Services
