The new Federal Act on Data Protection (nFADP), also known as the revised Federal Act on Data Protection, aims to protect Swiss citizens' privacy and fundamental rights when their data is processed. While the law originated in 1992, the internet’s rapid evolution has forced it to adapt to a new reality.
The revision of the nFADP is based on the requirements of the EU GDPR (General Data Protection Regulation) and went into effect on September 1, 2023. The legislation will improve the processing of data and grant Swiss Citizens new rights.
While there are similarities with the EU GDPR, companies must be prepared for their new obligations.
Changes to consider include:
- Keeping a register of processing activities is mandatory
- Only data of natural persons are now covered
- The definition of «sensitive personal data» includes genetic and biometric data
- Personal Liability: Private responsible person can now be fined up to CH250,000
- User Consent
- Easier Subject Access Requests
- Breach Notification
- Privacy by design by default
The nFADP will support Swiss companies to remain competitive by ensuring that the free movement of data with the European Union can be maintained. It will also support individuals in gaining more control over their personal data. Swiss and global companies that provide goods or services to Swiss citizens that process sensitive data about them must comply with this legislation from September 1, 2023.
Companies that have already complied with GDPR will have minimal changes to make. However, the main difference lies in the fact that organisations and responsible private persons can now be fined up to CHF 250,000 if they are out of compliance with nFADP.
Now that we’ve covered the essentials of nFADP, here are six questions every company should ask when it comes to this revised legislation, as well as how Own (Formerly OwnBackup) can help:
1. How is my data used, and who has access to it?
Under the nFADP, any individual can ask for details about the personal data an organization collects and stores about them at any time.
Own enables you to have full access to personal data requested by Data Subjects by providing full auditing access and the ability to easily find a Data Subject’s information. With Own Recover, we enable customers to quickly and easily respond to subject access requests within your backups, such as:
- Right to erasure (be forgotten)
- Right to rectification (changes)
- Right to data portability (readable exports) by submitting them directly through Own's easy-to-use application.
2. How do I support a culture of privacy by default?
When designing or implementing a system or a way to store information, you should think about privacy as a priority, and by default, making the system as secure as possible. Your obligation to only use providers that offer appropriate levels of security is amply met by selecting Own. We adopt a highly robust security posture which includes:
- Encryption at rest and in transit (FIPS 140-2)
- Pre-set permission sets
- Bring Your Own Key (BYOK) and Bring Your Own Key Management System (BYOKMS)
- Archival data resiliency
- Granular access controls
- SOC 2 Type II Audited
- Role-based access controls (RBAC)
3. If a data breach occurs, how will I know?
Where required to do so under the nFADP, organizations should promptly notify users and the Federal Data Protection and Information Commissioner (FDPIC) in the event of a data security breach.
The Own Smart Alert feature notifies users when data or metadata, including profiles and user permissions, is changed, deleted, or corrupted, based on their set rules or statistical outliers. Smart Alerts are key to prompt notification of data corruption or loss incidents, which is the critical initial stage to identifying when a data loss or corruption has taken place.
4. How can I be audit ready?
With nFADP, every data controller and data processor working in companies of above 250 employees must keep a register of their processing activity. If requested, the Record of Processing Activities must be made available to the FDPIC. That register should contain key data security information, such as the identity of the data controller, the purpose of the processing, a general description of the measures to guarantee data security and even the retention period of personal data.
Both Recover and Own Archive support full auditing access with downloadable logs and reports on changes/records impacted, time stamps, and more. Own Secure also delivers real-time, evidence-based reports to satisfy audits, internal policies, and external regulations such as nFADP or GDPR. Deep reporting on Access Controls, Authorization, state of data encryption, and more are all available.
5. What do I risk if I don’t comply with the nFADP?
- Budget damage: The consequences of non-compliance could lead to substantial fines, as many companies have discovered to their cost
- Reputation damage: Organisations are responsible for protecting customers' personal data, and any loss could significantly impact customer confidence and tarnish a brand's reputation
6. What can my organisation do now that nFADP is in effect?
Put data protection and data security at the core of your data strategy. This can be accomplished by taking these proactive steps:
- Perform a risk assessment analysis and check any for any gaps in your data protection strategy.
- Keep records of all processing activities.
- Define clear processes for Subject Access Requests and procedures for storing, using, transferring, and destroying data.
- Educate your team on the nFADP. Also, the designation of a data protection officer (DPO) is not mandatory but highly recommended.
- Review our Own for nFADP datasheet.
Every organisation’s approach to GDPR and nFADP compliance is different and depends on many factors, including the type of data you control, the regulatory environment in which you operate, and your current privacy and security capabilities. Contact us to find out how Own can help simplify compliance for your data needs, and schedule a custom demo.