New Swiss Data Protection Act (nDSG) – What is extremely important since 01.09.2023?

The new Data Protection Act (nDSG) and the associated ordinances came into force in Switzerland on September 1, 2023. The legal change adapts data protection to today’s technology and society. People should be able to better understand and control how their data is used. This is also long overdue, considering that the old Data Protection Act dated back to 1992. Google was founded in 1998 and Facebook (Meta) went online in 2004. At the latest, this marked the beginning of large-scale data collection 🐙. The GDPR has also been in force since May 2018, and Switzerland has now followed suit, albeit with a significant difference in penalties.

I will explain why IT security is even more important as a result and why many are only now reacting.

Why was a new law needed?

The new Swiss Data Protection Act has two main objectives:

• It updates the rules to adapt them to today’s technologies such as cloud, social media, AI, Big Data, and IoT. This is intended to give people more control over their own data.
• It ensures that data protection in Switzerland is brought up to the level of the EU. This is important so that data exchange between Switzerland 🇨🇭 and the EU 🇪🇺 can continue without problems. The law also takes into account EU regulations and international data protection agreements.

Personal data? It doesn’t concern me!

It concerns everyone who deals with personal data. Both at work and in an association or in private life (excluding friends and family). As soon as information that relates directly or indirectly to a specific natural person, it is considered personal data. This includes not only name and address, but also things like the IP address or email address. If such data is collected, stored, used, changed, or deleted, it is considered processing and the updated Data Protection Act applies.

Privacy by Design and Privacy by Default

“Privacy by Default” and “Privacy by Design” mean that companies must incorporate data protection into their technology and settings from the outset. This means that data protection rules must be considered already in the planning phase when developing apps or websites. In addition, the default settings should always be the most data-protection-friendly option. For example, if a website has a member area, the user’s name should not be visible by default.

Minimize data collection to what is necessary

When something is built from scratch (Privacy by Default), it is naturally easier to take this into account; afterwards, it is always a bit more complex. It is important that data is only used for the purpose for which it was originally collected. It may only be used for other purposes if there is a valid reason, such as fulfilling a contract, or if the data subject explicitly consents.

If the data is no longer required for the original purpose, it must be deleted or anonymized without delay.

Cookies 🍪

The annoying thing about cookies and the associated cookie banners.

Cookies are small text files that are stored by websites on the user’s computer or mobile device. They are often used to improve the user experience by saving settings or tracking user behavior. In the new Data Protection Act, cookies are relevant because they often collect personal data. The law therefore requires that users are clearly and distinctly informed about which cookies are used and for what purpose. In addition, users must give their consent before cookies can be set. The default settings that can be seen in the cookie banner must be data-protection-friendly. This means that only absolutely necessary cookies should be activated automatically.

However, operating a website without cookies that collect user data is no longer difficult. Thanks to the GDPR, various new tools are available as alternatives that take data protection seriously. Our website does not use cookies.

Privacy Policy

The Privacy Policy is an essential document that should be available on every company website. It informs visitors and customers about what personal data is collected, how this data is used and stored, and what rights data subjects have regarding their data. Furthermore, a clear and understandable privacy policy is not only good business practice but also legally required, especially in light of new data protection laws. It should be regularly updated to reflect new legal requirements or changes in data processing practices.

The Right to Your Data

Every person has a right to information about their stored data. This information must generally be provided within 30 days and free of charge to the person concerned. Individuals have the right to have incorrect data corrected or to request the deletion of data. However, these rights are not absolute and are subject to restrictions, such as the retention obligation.

IT Security

Let’s now turn to the actual topic of this article: how to protect data. As you can see, there are various places in a company where data is collected and thus also stored. Anything that is stored somewhere can be stolen, encrypted, changed, or deleted. With the necessary technical means, you now have the opportunity to prevent unwanted changes.

The introduction of the new Data Protection Act (nDSG) in Switzerland has significantly increased the importance of IT security in companies, especially in small and medium-sized enterprises (SMEs). Although IT security has always been a critical factor, the nDSG has further intensified the urgency of this issue. Since the law came into force on September 1, 2023, we have received a significant increase in inquiries from SMEs looking to strengthen their IT security measures.

Someone else should take care of it

Many inquiries we received focused on the Managed Detection and Response (MDR) service. Companies want to delegate responsibility and recognize that IT security is not simply taken care of by installing a firewall and the already existing Windows Defender.

It therefore makes sense to outsource this task to external service providers who deal full-time with the topic and are engaged in threat-hunting, who do nothing else and know the scene extremely well. This is a wise decision, as MDR offers proactive monitoring and response to security incidents, which is in line with the requirements of the nDSG. If you now have other systems in the company, you can also send this third-party telemetry data to Sophos. This means that this data can also be taken into account for a comprehensive security analysis.

Nevertheless, you still hear people who think they can do it themselves and underestimate the significance of this topic. Here I can recommend this article with the videos, and you will quickly change your mind: The Ransomware Documentary

I am primarily talking about the endpoint here, but the same also applies to the firewall, of course. Configuration, maintenance, auditing, and penetration testing should be carried out by trained personnel or, if not available, outsourced to an external service provider like us.

Security Audit - Always test again

While most people take regular inspections and maintenance for their cars for granted, as required by law, IT security is often neglected. Yet, especially in today’s world, where the threat landscape is constantly growing and changing, it is essential to constantly put IT systems to the test.

An important step towards robust IT security are regular audits and penetration tests. While audits verify compliance with security guidelines, penetration tests simulate cyberattacks to identify vulnerabilities in the system. Both methods are important to ensure that security measures meet current requirements.

A few Cybersecurity Best Practices

In our recently published blog post “Sophos Recommendations – Cybersecurity Best Practices”, we highlighted several points that are important for IT security. Many of these points could fall under the category of “negligence” if not observed, especially in light of the new nDSG.

Reporting obligation

The FDPIC stands for the Federal Data Protection and Information Commissioner in Switzerland. It is an independent authority that monitors and enforces data protection at the federal level. In the new Data Protection Act (nDSG), the FDPIC plays an important role as it is responsible for monitoring compliance with the law. In the event of data breaches that pose a high risk to the personal rights or fundamental rights of the data subjects, these must be reported to the FDPIC. It can also issue instructions and impose sanctions if data protection regulations are not complied with.

Under the nDSG, cyberattacks that lead to a breach of data security must be reported to the FDPIC. This is particularly the case if the attack poses a high risk to the personal rights or fundamental rights of the data subjects.

A data security breach occurs if personal data is unintentionally or unlawfully lost, deleted, destroyed, altered, or made accessible to unauthorized persons. This must be reported to the FDPIC without delay. The report must be made as soon as possible, generally within 72 hours of the attack becoming known. The FDPIC is the competent authority for receiving such reports and further monitoring the situation. However, the incident must also be reported to the NCSC: Report incident to the National Cybersecurity Centre (NCSC)

Such a scenario should be thought through in advance and not only when the worst comes to the worst.

Punishability

In the case of intentional violations of the nDSG, such as violations of information, disclosure, cooperation, or due diligence obligations, private individuals can be fined up to 250,000 CHF. In the case of offenses in business operations, companies can be fined up to CHF 50,000 if the identification of the culpable persons would involve disproportionate effort – and a fine for them of no more than CHF 50,000 would be considered.

This is also the essential difference to the GDPR. With regard to punishability, it must be particularly taken into account that from September 1, 2023, the violation of certain obligations gives rise to punishability, which does not affect the company, but the responsible natural person. The responsible persons can be members of the management, as well as other decision-making persons in the company or those persons who have committed a breach of duty (e.g., breach of confidentiality). In Swiss law, however, only conscious commission is punishable.

A fine of up to 250,000 CHF can be imposed in Switzerland for various data protection offenses, including:

• Lack of transparency or missing privacy policy
• Missing contractual agreements with data processors
• Failures in data security such as insufficient technical and organizational measures (TOMs)
• Transfer of personal data to countries without adequate data protection, without additional security precautions, or without a valid exception, such as consent
• Failure to comply with the obligation to provide information
• Disregard for the so-called “small professional secret”

The revised Swiss Data Protection Act also provides for criminal consequences for individuals who are responsible for such offenses.

FAQ about the new nDSG

Disclaimer ⚖️

Please note that this blog post is only a brief summary of aspects of the new Data Protection Act that we consider important. We are not legal experts or lawyers. For comprehensive legal advice, you should consult a qualified lawyer to ensure that you comply with all legal requirements. Our main source here was Admin.ch :: Press release :: New data protection law from September 1, 2023