Five months have passed since the deadline 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR). Time for a stock-taking.
Some developments since then have been expected. For example, the widespread uncertainty among organizations regarding the interpretation of the regulation – something that becomes evident when we speak with our clients.
Some other developments are surprising, however. For example, the rather widespread misconception that for all data processing it is required to obtain explicit consent of the individual. Article 6 of the GDPR also contains five other lawful bases for data processing (contract, legal obligation, vital interests, public task, legitimate interest) – and none of them is “better” or more important than the others.
As we have read in the media in recent weeks, the GDPR has also led to curiosities, as in the case of a property organization in the EU that, following a tenant’s complaint, has planned to remove the names from the bell signs of 220,000 apartments.
Last week, FAZ.net described the situation around the GDPR as follows: “With the new data protection regulation, the EU states have served themselves a toxic cocktail of panic over fines, helplessness and the desire to forbid.”
In this blog post, let us have a look at Switzerland. Where do Swiss companies stand regarding data protection? What is Switzerland’s status regarding the adaptation of its Data Protection Act (DPA) to the Internet age and EU regulation? And finally, following Gartner’s recent presentation of the “Top 10 Strategic Technology Trends” we have a brief look to the future of data protection.
Case to catch up
Requirements and reality regarding data protection seem to diverge in Swiss companies. This is one of the main conclusions that are drawn by the authors of the study “Data Protection in Swiss Companies 2018” of the Zurich University of Applied Sciences (ZHAW). It was published last month and is based on a survey of 265 mostly small and medium sized companies (SMEs). According to the authors, the study participants roughly represent the overall Swiss economic structure.
The study shows that almost 80 percent of the companies surveyed attach a rather or even very great importance to privacy. On the other hand, it shows that SMEs in Switzerland hardly provide adequate resources for data protection. Data protection activities are often not budgeted, and 70 percent of the surveyed firms do not have a data protection officer. Further, there are hardly any formalized procedures and training efforts in connection with data protection. These results are remarkable given the fact that the privacy topic currently enjoys a high relevance and publicity following the “go live” of the GDPR and the Facebook-Cambridge Analytica data scandal early this year.
According to the survey, half of the companies are at least partially familiar with the current Swiss Data Protection Act (DPA). The GDPR is even much less known: Only 30 percent of the respondents agree or tend to agree with the statement that their company is familiar with the GDPR. Not surprisingly, larger companies tend to be more familiar with the GDPR than smaller companies.
Only a quarter of the companies surveyed assume that they will be affected by the GDPR. According to the authors, this stands in stark contrast to various expert assessments that the majority of Swiss firms will be affected by the GDPR. 35 percent assume that they are not affected, and 39 percent have answered that they do not know. Here, of course, there are clear differences between companies with less than 50 employees and those with 50 or more employees.
The authors of the study come to the following main conclusions:
- The data protection measures taken by the surveyed firms seem to clearly diverge from the subjectively highly rated importance of the topic.
- Data protection regulations, particularly the GDPR, pose major challenges: About half of the companies surveyed find it difficult to assess whether their own dealing with the subject is adequate and compliant.
German companies struggling with the GDPR
Where do companies in the EU stand with regard to GDPR implementation? Everything better? – A look at firms in Germany:
Bitkom, the industry association of the German information and telecommunications industry, conducted a survey among 502 companies in Germany in August/September 2018. According to this study, roughly four months after the GDPR deadline, only a quarter of the companies surveyed have fully implemented the GDPR. Further 40 percent say they have largely implemented the rules, and 30 percent say only partially. Five percent of the companies have only just begun with the implementation work.
Interestingly, in an earlier Bitkom survey in May 2018, 24 percent of companies had already given their self-assessment that they would be fully GDPR compliant by the end of the implementation period on 25 May 2018.
Also interesting is that 78 percent complain about higher efforts in their day-to-day operations. Above all, the extended documentation and information duties seem to be a burden for companies. Also, 78 percent of the firms see difficulties in training their employees.
Not surprisingly against this backdrop: Almost all companies (96 percent) think that the new regulation needs to be improved.
Nevertheless, many respondents also see positive effects of the GDPR. 62 percent believe that the new data protection rules will lead to more uniform competitive conditions in the EU. 46 percent even see the GDPR as a competitive advantage for European companies.
Revision in progress, but still needs time
What is Switzerland’s status regarding the adaptation of its Data Protection Act (DPA)?
On 15 September 2017, the Swiss Federal Council sent a dispatch to the parliament aimed at a complete revision of the DPA. Objectives: The DPA shall be adapted to the Internet age, and the position and rights of the citizens shall be strengthened. At the same time, Swiss law shall become “aligned” with developments in the EU and the Council of Europe, thus ensuring that the free transfer of data between Swiss organizations and those in the EU remains possible. The Federal Council is thus responding to a concern of the Swiss economy.
On 12 January 2018, the National Council’s Political Institutions Committee voted in favor of a point of order (“Ordnungsantrag”) which provides for the splitting of the bill. The splitting makes it possible to discuss in advance the implementation of EU law required by the Schengen Agreements within a certain period. Subsequently, the complete revision of the DPA shall be tackled without time pressure.
During the parliament’s last summer session, the National Council approved the splitting of the bill to first make the urgently necessary adaptations to European law.
In September this year, the Council of States also approved a revision of the DPA in two stages. And a few days later, the National Council cleaned up the bill. The Federal Act and the Federal Decree on the further development of the Schengen acquis were adopted in the final vote on 28 September 2018.
Next step: The complete revision of the DPA will be dealt with in the coming winter session 2018.
Given the complexity and controversies around the topic, we expect the completely revised DPA not to become effective before 2020.
From “Privacy Compliance” to “Privacy Ethics”
Finally, let us have a brief look to the future of data protection:
Last week, research firm Gartner, Inc. presented the “Top 10 Strategic Technology Trends” for 2019. These “highlight changing or not yet widely recognized trends” which will have the potential to drive significant disruption and deliver opportunities through 2023 (next five years).
Some of the technology trends were already on the list for 2018, such as Autonomous/Intelligent Things, Edge Computing, Digital Twins, Immersive Technologies/Experience and Blockchain.
However, we also find new trends (definitions by Gartner):
- Augmented Analytics: Using automated algorithms by data scientists to explore more hypotheses, resulting in increased productivity and broader use
- AI-driven Development: Tools, technologies and best practices for embedding artificial intelligence (AI) into applications and using AI to create AI-powered development tools
- Smart Spaces: Physical or digital environments in which humans and technology-enabled systems interact in increasingly open, connected, coordinated and intelligent ecosystems, e.g. “smart cities”
- Quantum Computing: Type of nonclassical computing that is based on the quantum state of subatomic particles that represent information as elements denoted as quantum bits or “qubits”; quantum computers are based on an exponentially scalable and highly parallel computing model
From a data protection point of view, it is particularly interesting to observe the following trend: “Digital ethics and privacy”. Gartner’s analysts predict that digital ethics and data protection are significantly gaining in importance for individuals, organizations and governments. Consumers will be increasingly concerned with how personal data is being used by public and private entities. Enterprises that do not pay attention are at an increased risk of significant consumer backlash.
The analysts add that governments’ current focus is increasingly on the planning and adoption of new regulations, while companies currently focus on becoming compliant. Gartner finds that this does not go far enough: To be successful, companies must gain and maintain trust with the customers. To ensure that customers view them as trustworthy, companies must not only be compliant with legislation and regulations, but also follow internal values.
Therefore, Gartner’s view is that the conversation regarding privacy should move from “Are we compliant?” toward “Are we doing the right thing?”.
- The issue of data protection is considered highly important.
- Due to lacking resources, most companies are not yet there where they want and need to be.
- There is a clear need for action on the part of companies, but also on the part of the authorities to provide adequate guidance.
- GDPR implementation has priority for affected Swiss firms. The drafting of the new Swiss data protection law still takes time.