Turning Data Protection from Compliance to Advantage

Nicolas Zahn • August 2023

Data Security Keyboard Computer Preview

Per 01.09.2023 the new Federal Act on Data Protection will come into force. What does the new law tell us about the regulatory realities in the digital economy, what is the link between data protection and digital trust, and why might it be time to think about data protection differently?

Organisations big and small are scrambling in Switzerland to comply with the new Federal Act on Data Protection (nFADP) that enters into force beginning this September. The new provisions mark a clear change from the old act on data protection that goes back to the 1990s, a time where communicating digitally was still a rare sight and postcards were more dominant than email as the internet age was just about to begin. The new act is supposed to give individuals better protection and guarantees when it comes to how their personal data is being handled by authorities and corporations (see e.g. the overview by the FDPIC here)

Global developments, local effects

However, another aspect of why the law – after several revisions and consultations – is now being updated is linked to the European Union. Given that Switzerland participates in the European single market but is not a member of the European Union, it is essential for smooth operations that the legal situation in Switzerland is seen as equivalent to the European regulations. This was no longer the case in terms of data protection as the European Union had set the global de facto standard for data protection legislation with the General Data Protection Regulation, GDPR. The new Swiss legislation takes inspiration from GDPR but differs in a few crucial aspects e.g. it continues to follow the Swiss approach of allowing data processing unless explicitly forbidden by law whereas the GDPR requires a legal basis for data processing. Nevertheless, the new Swiss legislation is a huge step forward in terms of data protection and certainly many organizations will have to invest time and resources to ensure compliance with the new framework.

It all starts with data and trust

Data protection is often at the core of digital policy debates since data is at the core of the digital economy. Digital businesses need data, from logistics and operations in a factory to marketing campaigns on social media. Hence, getting the regulation of data processing right is crucial for the digital economy. Given the sensitive nature of many data points that are used on a daily business in today’s digital economy and the value that data presents to companies, it is also essential that data protection frameworks manage to create trust between data providers – often individuals – and data processors – the companies offering digital services. Only if I feel that my data is handled responsibly, e.g. because I know that there are severe punishments for companies that fail to do so, am I willing to share and contribute data. Unfortunately, the last years with countless scandals involving sloppy data handling have severely undermined the trust relationship between data providers and data processors.

This is exactly why in our work on digital trust, data protection plays a crucial role. If there is no trust regarding data involved in a digital service, there can be no sustainable relationship between a consumer and a digital service provider. Data Protection is one of the four dimensions our Digital Trust Label assesses and it follows established standards such as GDPR when it comes to the relevant auditing criteria. Organizations that opted early on to go through the labelling process thus had an advantage when it comes to complying with the new Swiss legislation on data protection as many questions that they need to ask themselves already became clear when looking at our criteria catalogue: it pays to address digital trust as early as possible, especially in a quickly shifting regulatory environment like the one we are experiencing at the moment.

From nuisance to asset

But purely framing the issue of data protection as a question of compliance would be a missed opportunity. As with digital trust more generally, investing in data protection and using it as a way of thinking clearly about the relationship between consumers and digital service providers can provide advantages in the marketplace. With not only growing regulatory pressure but also increased user awareness, it pays to proactively address data protection and see it not necessarily as a nuisance to comply with but an asset for the own company. The Swiss Digital Initiative had the opportunity to present its work at a conference organised around this exact argument by MD systems. Read more in their blog about the event.

To learn more about our work, see here.