The new data protection law will soon come into force in Switzerland. The cut-off date of September 1st, 2023 also means some major changes for StiftungSchweiz that were not implemented overnight. In this article, we will show you what preparations we have made and how data protection is implemented in practice at StiftungSchweiz. We would also like to show you that data protection is not just a buzzword, but an attitude that StiftungSchweiz actively lives by. It is our concern to effectively ensure data protection for our users through careful preparation.
Preparation and an outside view
To ensure that we are focusing on the right elements in our efforts, we already had an external audit conducted last fall. An expert assessed our data inventory and data processing in light of European data protection regulations and determined that the risk was generally not to be classified as high according to this data protection impact assessment.
This audit also revealed the gaps that needed to be filled in view of the new regulations – so our to-do list was well filled. The fundamental question of whether personal data requiring special personal data requiring, which is important personal data requiring data protection, can be answered at an early stage. At the same time, the initial assessment also helped us to approach the implementation of data protection with a sense of proportion and to be able to assess where the preparatory effort would be smaller and where it would be greater.
When it comes to data protection, an outside perspective is always a good idea – but selective guidance is usually enough, and offers are easy to find. If required, an expert can also support you in creating or revising data protection documents such as the data protection declaration. In addition, there are exciting offers such as the Data Privacy Self Assessment Tool (DSAT) or the data protection generator from Privacy Partner on the web, but more on that later.
Data mission statement: ethics as the basis for data-driven decisions
We decided to take a step back first. Because regardless of the obligations that the Data Protection Act entails, now is the perfect opportunity to give some fundamental thought to how data is handled.
In March of this year, we therefore defined our general approach to data in a data mission statement. It serves as a guide for data-driven decisions. This document underlines our responsibility towards our users and stakeholders and shows that data protection is not just a duty for us, but a matter of the heart. The mission statement is not a mandatory element of data protection, but it is a useful and helpful one – and thus highly recommended for imitation (let us know if we can guide you in this).
In essence: the inventory of data and data processing
A central cornerstone and usually the starting point for dealing with data protection is the data inventory:
Careful preparation begins with a comprehensive inventory of the data collected and the processing operations that take place with that data. Identify all categories of data you process and document the scope as well as the purpose of data processing in your company. This also includes the question, which is important in data protection, of who has access to this data as recipient. Also, record what software they use per category – we’ll come back to this point.
For StiftungSchweiz, we have defined 15 categories of data processing, which are set out in a detailed document of over 20 pages. Categories are, for example, personnel administration, our customer data management or customer support, but also electronic contract signing or document storage, which in our case is managed via Microsoft Office 365. The choice of categories is a bit of thinking, because there should be as few categories as possible and as many as necessary – and an additional category usually only becomes necessary when a special case becomes apparent with regard to the data concerned, recipient:in or software used.
If no particularly sensitive personal data is processed and no high-risk profiling is carried out, only companies and organizations with 250 employees or more are required to keep an inventory of all processing in Switzerland. However, the effort is also worthwhile for smaller companies: The detailed inventory enables a deep understanding of the way data is collected, stored and used. Only in this way can we ensure that no essential detail is overlooked and that all data is handled according to an appropriate data protection standard. And that, we at StiftungSchweiz think, is clearly our claim, even with only a dozen employees.
Demanding but crucial: the impact assessment
Based on the inventory, it is then necessary to conduct a privacy impact assessment per category to identify potential privacy risks and develop measures to minimize these risks. Especially in the case of extensive data processing, this is a crucial measure, which is also supported by online tools, for example by the Open Source Privacy Impact Assessment PIA of the French provider CNIL.
For this step, we used the helpful collection of templates from the “Data Protection Self-Assessment Tool DSAT”, which is also available free of charge. This is because many elements of Swiss data protection operate on the principle of self-declaration. In other words, each person must decide for him/herself how exactly he/she takes it and what claim he/she has, but is also responsible for his/her own declaration and assessment. The dsat.ch forms also allow for very pragmatic assessments. Incidentally, they are free of charge because the author and lawyer David Rosenthal is convinced that data protection in Switzerland should be operated cost-effectively and, above all, sensibly – a conviction that we also hold at StiftungSchweiz.
Based on the inventory, the technical infrastructure is then also checked for data protection compliance and security gaps. Appropriate security measures such as encryption, access controls and regular security updates must be defined to ensure the integrity and confidentiality of the data. These measures can be defined either generally for the company or only for individual categories. In addition, the list of software used included in the inventory creates the necessary overview for the question of where data is stored and processed. Per software, you should namely know whether this is done in Switzerland or within the European Economic Area, or outside and thus usually in the USA. We will come back to this point later.
Data protection instruction: training for comprehensive awareness
The difference between the new and the old data protection law lies primarily in the consistency of implementation – and enforcement. This means that in Switzerland, the processing of data is still legal in most cases, provided that an appropriate declaration is made and the data subjects are actively communicated with. However, if data is collected beyond its actual purpose, if it is stored improperly or insufficiently protected, or if data protection is simply asserted but not implemented, then the future is serious. And, unlike in Germany, for example, this applies primarily to management and the executive board personally. In the case of StiftungSchweiz, that’s the CEO – and author of this blog post.
In the case of inadequate data protection, the first suspicion often falls on technical gaps (which we will come to). However, the human factor is just as crucial. In many so-called data protection incidents, where data protection was thus breached, the trigger was not a technical but a human error.
We believe that data protection should not exist only on paper. That is why we have developed a data protection directive that is not only precise and clear, but also understood by all employees. Training our employees is a key component in creating the necessary awareness of data privacy: A first round has taken place and more will follow. This helps to ensure that ALL employees in our organization handle data responsibly and that data protection becomes a lived culture. Incidentally, we have integrated the data protection directive directly into our General Terms and Conditions of Employment, so that it forms an integral part of the employment contracts.
Software: Our order processors
In addition to employee training, one other issue in particular is crucial for careful implementation of data protection: the choice of software you use to process your data. In the understanding of data protection, this often involves so-called outsourcing and the provider of the software is then a so-called order processor – and because nowadays there is usually a whole fleet of different tools and solutions in use, there is also a long list of order processors.
The Data Protection Act also imposes obligations on order processors. In fact, a so-called order processing agreement AVV (often also English: Data Processing Agreement DPA) is due for every order processor. By the way, most reputable providers make this contract available directly on their website. If data is stored outside of Switzerland or the European Economic Area (as well as some so-called safe third countries), things get a bit more complicated. This is especially the case with software that stores data in the USA. In that case, adequate protection must be established via so-called standard data protection clauses, the procurement of which can be somewhat more complex. Again, with reputable providers from the USA, these are automatically used, although not always with explicit reference to Switzerland. With the new Data Privacy Framework DPF, this point will also soon become less explosive from a Swiss perspective.
Transparent data protection statement: Comprehensible communication to the outside world
Last but not least, data protection makes it necessary to have a precise, but also necessary to have a clear and understandable privacy policy on the website. In our case, this is easier said than done, as we use a larger number of services for a good user experience of our website, as is the case with any modern platform today. We therefore relied on the data protection generator co-developed by Steiger Legal, the law firm of attorney Martin Steiger, which generates such a data protection statement for a small fee. On the one hand, this procedure ensures that we have not forgotten any data processing and that our users are fully informed about what happens with their data. On the other hand, the preparation of such a document at the necessary level of precision is simply not realistic for non-lawyers.
By the way: in Switzerland, according to the assessment of renowned lawyers, cookie banners are still not required. no cookie banners are required. These are still only mandatory if European telecommunications law must be complied with or if voluntary selection options are to be offered. Since stiftungschweiz.ch is geared towards the Swiss market and already makes a careful consideration in the data mission statement, we take the position that this is not necessary for us.
Data protection checkpoint: Where do you stand?
StiftungSchweiz’s careful preparation for the new data protection regulations makes it clear that we see data protection not as a hassle, but as an opportunity. We are prepared to continuously improve our data protection practices and in this way build a foundation of trust for our organization and our stakeholders.
Likewise, we are prepared to share our accumulated knowledge about data protection and the necessary measures with non-profit organizations. Our newCheckpoint Data Protection” service helps you identify any need for action and initiate the most important measures. We support you in designing your data protection instructions as well as in setting up an inventory of data processing activities and make it easy for you to get started with templates. We place high demands on these templates because we also use them for ourselves. We are also happy to support you in the development of your training materials.
And our conclusion? In one sentence: the process was demanding, but instructive and very stimulating. We have learned a lot and know that we will continue to learn a lot as we identify weaknesses and optimize our data protection in the future. We have become aware that while we have implemented solid data protection, we also have a lot of potential for improvement. For example, we want to tend to reduce the number of tools used rather than continually expand them – while at the same time continuously improving the user experience. That is almost squaring the circle. Regular training is also essential to raise awareness of data protection issues, to keep employees up to date at all times, and to turn them into accomplices who can identify potential improvements and make suggestions on their own. Data protection can only be effective if it is actively practiced. Data is a valuable asset that we at StiftungSchweiz want to protect – quite independently of the legal provisions, which we naturally want to comply with. By continuously working to improve our data protection, we simultaneously build the trust of our customers, partners and users. Because that’s what an online portal like stiftungschweiz.ch thrives on.
