With us, you will find out what GDPR means for your business, how to prepare for it in good time and why you need not be afraid of it. We will support you on the road to compliant data storage and processing.
Rarely has a new law caused such a stir: the new EU General Data Protection Regulation (GDPR) applies not only to the EU Member States and the EEA Member States Norway, Iceland and Liechtenstein. We in Switzerland are also directly affected.
The law has been in force since May 2016 with the aim of harmonizing data protection in the EU. The GDPR protects the personal data of EU citizens and all non-EU citizens resident in the EU.
Personal data is information that makes a person directly or indirectly identifiable, such as a name, employee/pension/patient number, location data, IP addresses, social-media contributions or the mentioning of several special features (physical, physiological, genetic, mental, economic, cultural, social). The rights of individuals are strengthened by this new regulation.
The deadline for implementation is now approaching after two years on 25th May 2018, and from this time, companies will have to ensure compliance with the law. Heavy fines will be payable for infringements. Sanctions may be up to €20 million or 4 percent of worldwide annual turnover.
In addition to the principles for the processing of personal data, including data minimization, the regulation regulates the following areas:
Violations of data protection must be reported by the controller within 72 hours.
Right to information on data
Individuals have the right to information on which of their personal data is processed and the purpose for which it is processed.
Right to data deletion
The right to be forgotten entitles the persons affected persons to demand the deletion of their personal data under certain circumstances or to restrict its processing.
Right to data portability
Additional rights of the persons concerned with regard to the transmission and processing of your data by third parties.
Data protection / privacy by design
Consideration of data protection right from the design of technical and organizational measures for data security.
Record of processing activities
Controllers and processors must keep records of their processing activities.
Yes! Due to the territorial field of application, companies that process the personal data of persons resident in the EU are also subject to the law. So, specifically, if you:
Important: The Swiss Data Protection Act is currently undergoing a complete revision and is expected to enter into force in 2018 or 2019. This is expressly based on the reforms at European level, so the current draft is very similar to the EU GDPR. There will also be much heavier fines in Switzerland.
It is our experience that many customers are overwhelmed and paralysed by this issue. A lot is vague and it is not clear what really has to be done.
The basic rule is that the burden of proof lies with the controller, i.e., you as a company. As a company, you must be able to demonstrate compliance with the GDPR at all times. You are subject to a strict duty of documentation and proof, and must also protect personal data using appropriate security measures. For example, companies are obliged to delete the data of applicants, former employees and customers if the purpose of the processing ceases to exist or there is no longer any other legal basis, such as statutory retention obligations. As a company, you must also know where and in what form the personal data of employees is stored. This can affect the following systems: ERP/HR system, CRM software, Excel lists, systematically structured paper dossiers and others.
It is important not to ignore the issue. Because taking no action is always worse than just getting going. We will be happy to accompany you along the way and to show you how you can get prepared as a company: the journey is the goal.
GDPR compliance is of great importance to our software partners. This is why they have developed many useful features that make it easier to comply with data protection. However, even with a properly configured system, the work is still far from done. A holistic and comprehensive approach is required. Because not only systems, but also your organization and processes are affected.
Our many years of HR experience and close cooperation with software partners and lawyers give us the competence to accompany you in the analysis and implementation:
We will support you in the analysis of your personal data, systems and processes. We will identify weaknesses and develop a plan of action with you.
Identification of an unjustified access to out-of-date warnings of the employee by the line manager.
We will support you in the actual implementation of the measures and introduce tools for data-protection-compliant work.
Setup of retention periods, anonymization of test data, automated deletion of data that is no longer required, period-dependent restriction of access rights, etc.
We will support you in the development and establishment of a monitoring process and ensure that the defined measures are taking effect.
Quick, coordinated response in the case of a security incident, efficient release of the employee data.