The new Data Protection Act (nDSG) and the associated ordinances came into force in Switzerland on September 1, 2023. The amendment adapts data protection to today’s technology and society. People should be able to better understand and control how their data is used. This is also long overdue, considering that the old data protection law still dated from 1992. Google was founded in 1998 and Facebook (Meta) went online in 2004. At the latest, this was when data collection 🐙 began on a grand scale. The GDPR has also been in force since May 2018 and Switzerland has now followed suit, but with a significant difference in penalties.
I will explain in a moment why IT security is becoming even more important as a result and why many are only now reacting.
Why did it need a new law?
Switzerland’s new data protection law has two main objectives:
- It updates the rules to align with today’s technologies such as cloud, social media, AI, Big Data and IoT. This should give people more control over their own data.
- It ensures that data protection in Switzerland is raised to the level of the EU. This is important so that the exchange of data between Switzerland 🇨🇭 and the EU 🇪🇺 continues to be possible without any problems. The law also takes into account EU regulations and international data protection agreements.
Personal data? It does not concern me!
It affects everyone who deals with personal data. Both at work and in a club or in private life (except friends and family). As soon as information that directly or indirectly relates to a specific natural person, it is considered personal data. This includes not only name and address, but also things like IP address or email address. If such data is collected, stored, used, modified or deleted, it is referred to as processing and the updated Data Protection Act applies.
Privacy by Design and Privacy by Default
“Privacy by Default” and “Privacy by Design” mean that companies must build data protection into their technology and settings from the very beginning. This means that when developing apps or websites, data protection rules must already be taken into account in the planning phase. Furthermore, the default settings should always be the most privacy-friendly option. For example, if a website has a members’ area, the user’s name should not be visible in the default setting.
Minimize data collection to the bare minimum
When you build something from scratch (Privacy by Default), it is of course easier to take this into account, in retrospect it is always a bit more work. It is important that data is used only for the purpose for which it was originally collected. You can only use it for other things if there is a valid reason, such as to fulfill a contract, or if the person involved explicitly agrees.
If the data is no longer required for the original purpose, it must be deleted or made unrecognizable without delay.
The annoying thing about cookies and the cookie banners that come with them.
Cookies are small text files that websites store on the user’s computer or mobile device. They are often used to improve the user experience by storing settings or tracking user behaviour. In the new data protection law, cookies are relevant because they often collect personal data. The law therefore requires that users are clearly informed about which cookies are used and for what. In addition, users must give their consent before cookies can be set. The default settings, which can be seen in the cookie banner, must be data protection-friendly. This means that only absolutely necessary cookies should be automatically activated.
The right over his data
Each person has a right to information about the stored data. This information must usually be provided within 30 days and at no cost to the individual. Individuals have the right to have inaccurate data corrected or to request that data be deleted. However, these rights are not absolute and are subject to limitations, such as retention requirements.
Now let’s move on to the main topic of this article, how to protect data. As you can see, there are various places in a company where data is collected and thus also stored. Everything that is stored somewhere can be stolen, encrypted, changed or deleted. With the necessary technical means, it is now possible to prevent unwanted changes.
The introduction of the new Data Protection Act (nDSG) in Switzerland has significantly increased the importance of IT security in companies, especially in small and medium-sized enterprises (SMEs). Although IT security has always been a critical factor, the nDSG has increased the urgency of this issue. Since the law came into effect on September 1, 2023, we have received a significant increase in requests from SMEs looking to strengthen their IT security measures.
Let someone else take care of it
Many of the requests we received were for the Managed Detection and Response (MDR) Companies want to hand over responsibility and realize that IT security is not simply a matter of installing a firewall and the Windows Defender already in place.
It is therefore obvious to hand over this task to external service providers who deal with the topic and threat hunting on a full-time basis, who do nothing else and who are extremely well versed in the scene. This is a wise decision, as MDR provides proactive monitoring and response to security incidents, which is in line with the requirements of the nDSG. Now, if you have other systems in the company, you can also send this third-party telemetry data to Sophos. This means that this data can also be taken into account for a comprehensive safety analysis.
Nevertheless, you hear again and again from people who think you can do it yourself and underestimate the scope of this issue. Here I can recommend this article with the videos and you will quickly change your mind: The Ransomware Documentary
I’m talking primarily about the endpoint here, but of course the same is true for the firewall. Configuration, maintenance, audit and pentest should be performed by trained personnel or, if not available, outsourced to an external service provider like us.
Security Audit – Test again and again
While most people take regular inspections and maintenance for their cars for granted, as required by law, IT security is often neglected. In this day and age, when the threat landscape is constantly growing and changing, it is essential to constantly put IT systems to the test.
Regular audits and pentests are an important step towards robust IT security. While audits verify compliance with security policies, pentests simulate cyberattacks to identify vulnerabilities in the system. Both methods are important to ensure that security measures meet current requirements.
A few cybersecurity best practices
In our recent blog post, “Sophos Recommendations – Cybersecurity Best Practices,” we highlighted several points that are important to IT security. Many of these points could fall under the category of “negligence” if not followed, especially in light of the new nDSG.
The FDPIC stands for the Federal Data Protection and Information Commissioner in Switzerland. It is an independent authority that monitors and enforces data protection at the federal level. In the new Data Protection Act (nDSG), the FDPIC plays an important role, as it is responsible for monitoring compliance with the law. In the event of data protection violations that pose a high risk to data subjects, they must be reported to the FDPIC. It can also issue instructions and impose sanctions if data protection provisions are not complied with.
Under the nDSG, cyberattacks that lead to a breach of data security must be reported to the FDPIC. This is particularly the case if the attack poses a high risk to the personal rights or fundamental rights of the persons concerned.
A breach of data security occurs when personal data is accidentally or unlawfully lost, deleted, destroyed, altered or made accessible to unauthorized persons. This must be reported to the FDPIC without delay. The report must be made as soon as possible, usually within 72 hours of becoming aware of the attack. The FDPIC is the competent authority for receiving such notifications and further monitoring the situation. However, the incident must also be reported to the NCSC: Report incident to the National Cyber Security Center (NCSC).
Such a scenario should be thought through in advance, not when the emergency occurs.
In the case of intentional violations of the nDSG, such as violations of obligations to provide information, to cooperate, or to exercise due diligence, private individuals can be fined up to CHF 250,000. In the case of infringements in business operations, companies can be fined up to CHF 50,000 if the identification of the offending persons would involve disproportionate effort – and a fine for them of no more than CHF 50,000 would be eligible.
This is also the main difference to the GDPR. With regard to criminal liability, it should be noted in particular that as of September 1, 2023, the violation of certain obligations will give rise to criminal liability, not affecting the company, but the natural person responsible for it. The responsible persons can be members of the management as well as other persons authorized to make decisions in the company or also those persons who have committed a breach of duty (e.g. breach of confidentiality). Under Swiss law, however, only the deliberate commission is punishable.
A fine of up to CHF 250,000 can be imposed in Switzerland for various data protection offenses, including:
- Lack of contractual agreements with data processors
- Data security failures such as inadequate technical and organizational measures (TOMs)
- Transfer of personal data to countries without adequate data protection, without additional safeguards, or without a valid exception, such as consent
- Failure to comply with the obligation to provide information
- Disregard of the so-called “minor professional secrecy”.
Switzerland’s revised data protection law also provides for criminal penalties for individuals responsible for such offenses.
FAQ on the new nDSG
What is the new Swiss Data Protection Act?
It is a revision of the 1992 Data Protection Act, which came into force on September 1, 2023, to strengthen data protection in Switzerland and bring it into line with the EU General Data Protection Regulation.
What are the penalties for violations of the nDSG?
Penalties can be as high as CHF 250,000, with criminal sanctions against individuals also possible.
What does “Privacy by Design” mean?
It is a principle in which data protection and data security are integrated into the planning and development of projects from the very beginning.
Do companies have to inform users about the processing of their data?
Yes, companies must clearly inform their users about what data is collected and for what purpose.
Does the nDSG also apply to companies outside Switzerland?
Yes, the law has a cross-border scope and applies to any website that processes personal data of individuals in Switzerland, regardless of their location.
What requirements does the new nDSG place on consent?
Consent must be specific, informed and voluntary, and users should be able to give consent for different categories of cookies.
Who is affected by the new data protection law?
Everyone who works with personal data is affected by the law. This applies to companies, associations, but also to private individuals, provided that the use of the data goes beyond the private sphere such as family and friends.
Please note that this blog post is only a brief summary of aspects of the new data protection law that we feel are important. We are not legal experts or lawyers. For comprehensive legal advice, you should consult with a qualified attorney to ensure that you meet all legal requirements. Our main source here was Admin.ch :: Press release :: New data protection law as of September 1, 2023