Switzerland gets its GDPR moment

Swiss citizens will be protected by new, stricter and more focused, data protection regulations starting from September 2023. Any business or organization able to collect, store, manage and transfer personal data will have to comply with the new regulation or – if found guilty of missing compliance – they can face hefty fines up to CHF 250,000.

In summary

The New Federal Act on Data Protection (nFADP) is an extension of the existing FADP which alignes the Swiss regulation to the EU's GDPR. The main changes are:

1. 1 - Only data of natural persons, and not those of legal persons, are now covered.
2. 2 - Genetic and biometric data fall under the definition of sensitive data.
3. 3 - The principles of "Privacy by Design" and "Privacy by Default" are introduced. As its name implies, the principle of "Privacy by Design" requires developers to integrate the protection and respect of users' privacy into the very structure of the products or services that collects personal data. The principle of "Privacy by Default" ensures the highest level of security as soon as the products or services are released, by activating by default, i.e. without any intervention from users, all the measures necessary to protect data and limit their use. In other words, all software, hardware and services must be configured to protect data and respect the privacy of users.
4. 4 - Keeping a register of processing activities is now mandatory. However, the ordinance allows exemptions for SMEs whose data processing presents limited risk of harm to the data subject.
5. 5 - Prompt notification to the Federal Data Protection and Information Commissioner (FDPIC) is required in the event of a data security breach.
6. 6 - The concept of profiling (i.e. the automated processing of personal data) is now part of the law.

The impact of data protection on businesses

Most companies produce records of user activity that include personal information and falls within the scope of the New Federal Act on Data Protection. In fact, even the simplest company website produces log files or use analytics tools that are normally able to collect IP addresses and user interaction data.

Moreover companies allowing user registrations to create profiles and that track user activities, preferences, past purchases or behavior for recommendation purposes or to optimize their offering, will now need to start looking into their technology stack and where the data is managed for compliance.

Tracking website or email interactions, using re-marketing tools to expand the audience, adding libraries to a mobile or web application, are all sections of the online activities performed by companies that will now need to be fully scrutinized for data protection and compliance.

The principles of "Privacy by Design" and "Privacy by Default" will in fact now need to be introduced in any software and infrastructure decision favoring suppliers that align with these principles and offer specific tools and designs that can guarantee full compliance.

It is no longer an option to build any website, application or marketing campaign using the most common free tools that were used in the past. US Companies offer very limited data protection tools and some of these do not comply with GDPR and the New Federal Act on Data Protection.

In particular, companies that handle large amounts of personal data – and especially those in the finance, insurance, health care or other sensitive data industries – should begin to look at each component and make sure that data protection is guaranteed.

The regulator has introduced dedicated services to get consultancy, and has introduced the concept of data advisory: private companies may appoint a data protection adviser. This adviser may be an employee of the company, but does not have to be. In either case, the advice on data protection should be provided independently and not be influenced by other activities of the company.

Changes to the software infrastructure might result in lengthy processes and complex changes that are most likely to take months to be deployed. This is alone a compelling reason to start looking into each part of the technology stack for compliance and take action now. By starting to switch data storage and service providers to compliant ones, the effort to become compliant will become easier.

Digital marketing data protection compliance

Data protection compliance is achieved by carefully examining each software component to offer data security, the required functionalities and the vendor's regulatory compliance.

There are several sections that require immediate attention and action, and we recommend comparing the New Federal Act on Data Protection's summary to go through the entire list of recommendations and action on a custom plan.

Privacy by Design and Privacy by Default

Privacy by Design requires developers to integrate the protection and respect of users' privacy into the very structure of the products or services that collects personal data. The principle of Privacy by Default ensures the highest level of security as soon as the products or services are released, by activating by default, i.e. without any intervention from users, all the measures necessary to protect data and limit their use.

These principles mandate that when implementing marketing campaigns all the necessary measures to protect data privacy are factored in the process. This includes minimizing the amount of user data collected so that only the relevant information is tracked and stored. Also, automatic and on-demand deletion needs to be provided in order to purge old data that's not relevant to present communication and activities.

From the technical perspective, the data collection activity should be performed by secure systems that comply with the regulation, and avoid transmission to external entities that do not comply. Data storage and analysis needs to be performed within the boundaries of a compliant organization and provide strong protection from unauthorized third-party access. This can include database encryption at rest and for data in transit, strong security policies to prevent data breaches and data integrity monitoring as well as intrusion detection.

ReachOut offers a dedicated and secure data infrastructure as well as Enterprise-grade options that allow to deploy marketing databases on premises and never transmit any collected data to third parties. Also, all user data is stored in the Zurich-based data center which is already compliant with the New Federal Act on Data Protection.

Storing and transmitting data outside Switzerland

If cross-border disclosure of personal data is planned - which also includes storage on foreign systems (cloud) - the data subjects must be notified of the countries concerned, regardless of whether they offer adequate data protection. In this point, the FADP goes further than the GDPR. It must also be stated which data protection guarantees, if any, are used (e.g., EU standard contractual clauses) or which exceptions, if any, the controller refers to; here, too, the FADP deviates from the GDPR.

In more practical terms, the use of tools such as Google Analytics and other marketing tools from US-based companies might not be considered compliant under the new regulatory framework. The EU has ruled that Google Analytics is not compliant with GDPR and Google published a guide on how to limit the data collection performed by its Analytics library so that GDPR compliance can be achieved.

Cookies and third-party tracking of user activities is going through an exciting transformation and an interesting study released by the consultancy firm McKinsey sets the scene of changes in user tracking, the use of third-party tracking scripts and cookies and what changes are challenging the digital marketing industry.

Tracking user activities for marketing and personalization purposes in the context of digital marketing campaigns can be achieved with first-party only tracking libraries. ReachOut's analytics library for React and email tracking functionality allows website owners to track user activities locally on the same website and collect all the interaction information in a secure, dedicated and Switzerland-based tracking database.

Our perspective on data protection and marketing

While the new regulations impose stricter rules, limitations and compliance procedures, we see the changes as extremely positive for the industry and consumers.

Many internet services were built around the idea that offering free or almost free tools would be a mean for infinite growth and revenue by collecting and using user information with no scrutiny.

This changes today, opening up to new players in the industry that build tools and services that are secure and private by default, guarantee privacy rights and can act at the local level with expertise and a sustainable business model.

The demise of third-party cookies will introduce more limited user tracking and better privacy, with end users starting to grow aware of their privacy rights and carefully pick which service providers offer the best balance of functionality and privacy.

We have been working hard to build a marketing platform that puts privacy and security at its core. Swiss and international businesses acquiring information of Swiss citizens will step up their game in adopting the best tools that are privacy oriented and carefully review their processes to further improve their renowned attention to privacy. There will be new opportunities opening up to security-conscious internal and international markets.