Implementation Challenges of the GDPR

It is evident that Swiss companies will have to implement the new data protection regulation, as the rules apply to all companies, which deal with any kind of personal data of individuals in the EU, irrespective of whether these companies are based in the EU or not. Some Swiss companies have already made progress concerning this matter. However, there are several challenges in data protection management for Swiss organizations that need to be considered.

1. Privacy must be applied across the organization.
Marketing and business development departments must be concerned with any activities where personal information is processed—collected, used and shared—as a function of marketing.
Information security provides standards and guidelines for applying technical and operational controls to reduce the probable damage, loss, modification or unauthorized access to systems, facilities or data.
IT works closely with privacy and security team to ensure alignment. For example, security may designate who has access to information, while IT would enable access to those with the proper permissions.
Legal must know that an organization need conduct factual and legal due diligence to align privacy practices and minimize legal liability. Legal should have controls, documentation management practices and tracking mechanisms in place.

2. Privacy Policies and Guidelines
A further challenge, as the GDPR has shown, is the design and implementation of concepts, policies and guidelines that guarantee the updating of safety standards and remains in the sense of continuous compliance with the GDPR and other legal principles. This challenge is also to be expected with the E-DSG.

3. Establishing a Records of Processing activities
The companies need to integrate and keep up to date the records into business activities so that changes in the system are reflected in the processing activities and allow the Data Protection Team to identify and mitigate the privacy gaps.

4. Privacy by Design / Privacy by Default
Data protection through technological design-development refers to organizational and technical measures implemented to comply with the principles of regulation. It is essential to protect the rights of data subjects before, during and after the processing of personal data.
Data protection through data protection-friendly default settings means that only those personal data may be collected and processed that are necessary for a specific purpose of processing. New products or changes to existing products require a risk assessment. But even with existing data processing activities, there must be clarity as to which category of personal data is used for which purpose.
Cybersecurity, in particular, is playing an increasingly important and complementary role in data protection. The technical and organizational measures to protect data and the associated compliance with data protection laws can only be implemented and adhered to with the help of a secure IT system. IT security thus becomes a fixed component when it comes to complying with legislation.

5. Data Subjects Access Rights
Organizations need a policy – to accept a withdrawal of consent, to deal with a data subject access request and all other privacy rights..
Organizations need a process – to enable the policy to be carried out. There must be people who are trained whose responsibility is to deal with those processes in the organization.
Organizations need technology -Data Protection Team to be able to use the technology to find every consent or every data record that they keep about a person. Later they need to be able to isolate it, amend it, extract it, and deliver it.
New technologies can support today’s IT infrastructure and applications for universal search, so that any personal data can be found quickly and, for example, deletion requests can be processed successfully. Data subjects have the right to free access to their data, correction of data and the right to object to data processing. In order to process requests from data subjects efficiently, IT solutions can offer a system-based workflow that supports the process from receipt to completion of the request.