The revised data protection law came into effect on 01.09.2023 and is immediately applicable. There are only a few transitional provisions tailored to specific circumstances. Non-compliance with data protection regulations can result in fines of up to CHF 250,000.00. Compliance should therefore be taken seriously.
So, what needs to be done? Take a structured approach. This will ensure that you know where personal data is being processed, how it is protected, and whether additional measures need to be taken.
Inventory
Compliance with the obligations under the data protection law requires knowing which personal data is collected within your company, where and how it is processed, how it is already protected, and whether it is disclosed to third parties or processors or transferred abroad.
The inventory is the basis for identifying the necessary measures.
Identification of Measures to be Taken
Based on the inventory, you can identify the measures necessary to comply with the new data protection law and work on their implementation. Identifying the measures to be taken requires understanding your obligations under the revised data protection law. It may be advisable to implement certain measures even if there is no legal obligation to do so.
Implementation of Measures
Once you have identified the measures to be taken, you can begin implementing them. Consider the following in particular:
- Privacy policy for customers, contractual partners, etc.
- Privacy policy for employees
- Application list
- Record of processing activities (if required)
- etc.
Organisational Measures
The revised data protection law does not prescribe specific requirements for organising companies. However, organisational measures can simplify compliance with the revised data protection law and provide you with an overview. They can also facilitate your response to inquiries from affected individuals or in the event of data security breaches.
Services
