Since the European General Data Protection Regulation (GDPR) came into effect in 2018 and the revision of the Swiss Data Protection Act (DSG) in 2023, many Swiss SMEs have faced a challenge: Data protection must be implemented correctly, but the associated efforts are often greater than expected. The good news: With a pragmatic approach, DSG compliance is achievable without disproportionate effort. This blog post explains how.
Step 1 - Understanding the Problem: Why Data Protection is important
Many SMEs underestimate the importance of data protection. However, the General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG) do not only apply to large corporations – SMEs must also process personal data in compliance with the law. Failure to do so can have legal consequences and jeopardize customer trust. Data protection is therefore not just an obligation but also an opportunity to build trust.
Step 2 – Risk Assessment: Where does the Company Stand?
The importance of a company’s data protection compliance depends on various factors. Key questions include:
- What data is processed and for what purpose?
Certain types of data are subject to stricter protection regulations, and violations can result not only in severe fines but also in reputational damage and loss of customer trust. The same applies if data is traded or if large amounts of personal data are processed, for example, for marketing purposes.
- How relevant is data protection in the respective industry?
Data protection comes into particular focus when the relevant authorities (in Switzerland, the Federal Data Protection and Information Commissioner (EDÖB) for private companies) initiate investigations, especially in sensitive industries or in response to specific complaints. In practice, alleged violations of data protection regulations are often reported by dissatisfied former employees, unhappy customers, or competitors, which can lead to regulatory audits. Additionally, data protection is highly relevant when customers, particularly banks or pension funds, require data protection compliance as a prerequisite for business partnerships.
Step 3 – Choose the Appropriate Data Privacy Strategy
Based on the risk assessment, there are several approaches for implementation:
- Option "Super Light": A basic privacy policy for the website (e.g., well-suited for online shops).
- Option "Light": A more comprehensive privacy policy, ideal for SMEs that collect non-sensitive customer data via their website or digital platforms and use it only for business operations, without processing particularly sensitive data or engaging in deep data usage for marketing purposes.
- Option "Light 2": Privacy policy + data processing agreement (DPA), suitable for companies that process personal data and use external service providers (e.g., cloud providers or marketing agencies) for this purpose.
- Option "Fully Fledged": Full data protection compliance for companies with higher risks, such as providers of software platforms or those engaged in extensive data processing, where detailed documentation and implementation of data protection requirements are necessary. This option is also required for companies whose customers demand data protection compliance, especially in the financial sector.
- Option "Fully Fully Fledged": DSG-compliance with approval from data protection authorities. Required for companies handling particularly sensitive data, especially in regulated sectors like healthcare.
The options "Light" to "Fully Fledged" are offered on our website as fixed-price products. Feel free to check them out:
Step 4 – Decide Between the DSG or GDPR as the Basis
If a company operates in the EU, targets customers in the EU, or processes data of EU citizens, the EU General Data Protection Regulation (GDPR) becomes relevant. In this case, companies must comply with the (slightly stricter) requirements of the GDPR in addition to the Swiss national data protection law (DSG). A later "gap filling" between the two laws is possible.
It is recommended to first ensure compliance with one law and then fill in the gaps according to the other one.
Step 5 – Data Mapping: What Data Flows Exist?
Before implementing data protection measures, a company must understand which data is processed, how it is processed, and who is responsible for it.
There are two important categories of responsibility:
- Data Controller: The company that decides how the data is processed.
- Data Processor: External service providers who process data on behalf of the data controller (e.g., cloud services).
Relevant data includes all so-called "personal data" such as names, addresses, email addresses, phone numbers, payment information, IP addresses, health data, and so on.
Step 6 – Legal Analysis: What Needs to Be Done?
The following analysis helps to implement the key data protection obligations:
- Is the processing permitted?
According to the DSG (Swiss Data Protection Law), processing personal data is only permissible if it does not unlawfully infringe on the personality rights of the data subject. Otherwise, explicit consent from the data subject is required.
Under the GDPR, processing is only allowed if at least one of the legal grounds listed in Article 6 is met, such as consent, the fulfillment of a contract, a legal obligation, the protection of vital interests, a public task, or legitimate interests, provided that no overriding rights of the data subject are in conflict.
- What obligations arise from the existing data flows?
The three most important obligations are usually:- Create and maintain an up-to-date privacy policy.
- Sign a Data Processing Agreement (DPA) if external service providers are engaged.
- If operating in the EU, appoint a GDPR representative in the EU.
There are useful online tools for many tasks
For the implementation and management of data protection obligations, there are various online tools that make it easier to comply with requirements, depending on the size of the company. To save you the effort of searching for them yourself, we have created an overview of different tools that you can conveniently order from us via email.
Conclusion: Implementing Data Protection with reasonable effort
Data protection is a challenge for SMEs, but with a suitable strategy for the company, the issue can be managed without excessive effort. We are happy to help find the right solution – practical, efficient, and tailored to the company’s needs.
