Everything under control with the EU GDPR?
The European General Data Protection Regulation (EU GDPR) has been in force since the end of May. Even though this is EU law, it certainly affects Swiss companies. How have SMEs prepared themselves in this regard?
The EU GDPR has one main goal: to better protect customers' personal data from misuse and to grant users more rights. The EU lawmakers are primarily targeting the big "data collectors" such as Google, Amazon, Facebook, etc. The EU's data protection laws are not just a matter of data protection. However, all companies that process and store personal data in any form are affected - and laws are inexorable in this respect.
Much effort
Whoever you ask: Everywhere, including in Switzerland, it is said that the EU GDPR primarily brought a jumble of additional work. Because even companies from "small" Switzerland had to deal with the "juggernaut" EU-DSGVO, which has expressed itself in the last few weeks in countless mails in which one was asked to confirm or renew personal information. This is because the new regulation stipulates that personal data may only be stored with explicit consent. Companies that have extensive data records, including data that has been stored for years but hardly ever used, had to go to greater lengths. They therefore had to obtain consent again from all addressees. Many users took this as an opportunity to definitely say goodbye to the sender's database. For e-mail marketers in particular, this re-opt-in was a double-edged sword: on the one hand, they ran the risk of losing many addressees more or less for good, but on the other hand, the quality of the database increased: anyone who responded positively to the re-opt-in made it clear that they still wanted to receive information and thus belong to the target group. According to experts, however, this re-opt-in would not have been absolutely necessary: Anyone who has already obtained data via opt-ins is already on the safe side according to the GDPR.
Protecting EU citizens globally
Two criteria are decisive for the applicability of the EU GDPR to Swiss companies: on the one hand, the place of establishment, and on the other hand, the target market. Thus, if a Swiss-based webshop offers or sells goods to persons residing in an EU country, it falls under the scope of application of the GDPR. This also includes a number of advertising measures. The legislator has focused in particular on so-called behavior-based advertising. If, for example, a Swiss hotel operator creates profiles of its customers from the EU in order to be able to make them "tailor-made" new offers, this also falls under the GDPR "insofar as the profile is created on the basis of behavior in the EU," as it says in an information paper of the Federal Data Protection and Information Commissioner FDPIC. The GDPR is also likely to apply to the case where the operator of a website uses web tracking to draw conclusions about product preferences or the like based on users' surfing behavior. This means that websites must first ask visitors whether it is okay to use so-called cookies. This is because cookies are what make tracking possible in the first place.
Long overdue data cleansing
The companies we surveyed seem to have done their homework. It was an effort, but the positive effect is probably: now "there is order in the stable" in the form of a cleaned-up internal database without "file corpses". And customers can be informed at any time about the data they have stored and are obliged to delete it if they wish - unless there is a higher-ranking law to the contrary.
And what happens in the event of violations of the EU GDPR? The threat of sanctions should be taken seriously. However, anyone who has always handled personal data in a trustworthy manner should have little to fear from the threat of sanctions. In any case, it remains to be seen what the actual case law will look like and whether a flood of litigation will occur at all. As soon as the first court rulings are available, it will become clear whether and in what form the company will have to readjust its own data processes.
"My data belongs to me"
Despite all the criticism of the EU GDPR - a revised Swiss data protection law is also in the pipeline, as is well known, and is likely to generate further work - it is important to note that the EU's new data protection law is not the only one: When dealing with data as the so-called "new currency," there is a need for generally applicable rules of the game. After all, it is all well and good if every one of us who disseminates his or her data on a daily basis via online channels, quasi "à discrétion," can also always gain insight into what is happening with his or her personal information. It's like regularly checking your bank balance. And who doesn't take care of their money?
How Swiss SMEs dealt with the EU GDPR
Swiss SMEs have approached the requirements of the EU GDPR differently. We talked about this with Gaby Stäheli, Co-CEO of GRYPS Offertenportal AG in Rapperswil with 17 employees.
Ms. Stäheli, what (additional) work has the EU GDPR caused you so far in general?
Gaby Stäheli: We needed around 10 to 15 man-days for preparation and implementation of the most important tasks up to the introduction. For a company with 17 employees working at full capacity, this is a massive additional expense. We expect additional effort when Switzerland follows suit.
Where, for example on your websites, did you have to make the biggest adjustments?
The wording of the privacy statement, which is now much more comprehensive, and the design of our online questionnaires. Defining the internal processes associated with future data disclosures and deletions was also time-consuming.
How do you ensure that customers, for example, can exercise the "right to be forgotten" about their data?
An internally defined process is initiated as soon as a customer requests or wishes to have their data deleted. However, this is only possible if it does not contradict the legal data retention period for customer transactions.
More generally, how do you ensure the security of the personal data you manage?
All systems and servers on which customer data is located are encrypted. These are located in professional data centers with guaranteed high security standards. Our employees are also trained accordingly.
Information: You can find more interviews in the Print edition ORGANISATOR 6-2018.
