Since September 2023, the new Data Protection Act (DSG) has placed the protection of personal data in the focus of regulators. With an independent audit report, companies not only ensure compliance, but also strengthen the trust of their customers and business partners.
The new Federal Act on Data Protection (FADP) and the associated Data Protection Ordinance (DPO) have been in force since 1 September 2023. Swiss companies are therefore faced with stricter requirements for information security and the careful handling of personal data; at the same time, the rights of data owners have been strengthened.
The most important changes include extended information, reporting and documentation obligations as well as significantly higher penalties for natural persons in the event of violations. Companies must keep a register of processing activities, adapt data protection declarations, document transfers abroad, institutionalise reporting processes and clearly define responsibilities
Strengthen control of external data processors
The topic of order processing and the conclusion of so-called processor agreements has become particularly relevant. In practice, however, these agreements often prove to be "toothless tigers", as many data controllers do not adequately fulfil their monitoring and inspection obligations towards the processors - especially with regard to compliance with technical and organisational security measures. Every company must therefore not only know exactly how it ensures data protection itself, but also how its third parties do so, as a lack of protection harbours considerable risks.
One year after the new DPA came into force, data controllers should check whether and which checks they carry out on their processors. Neither the law nor the regulation provide clear guidelines on this.
In addition, recent court rulings from the EU show that the supervisory duties of data controllers have been significantly expanded - a trend that could also become established in Switzerland. How can controllers and processors tackle these challenges in a pragmatic and risk-based manner?
A comprehensive assurance report sends a strong signal to the public: the company takes data protection seriously and willingly undergoes external audits.
Fulfil the requirements of the DSV: Creating trust through independent testing
How can companies systematically work through the catalogue of requirements of the Data Protection Regulation? And how can processors prove that they are complying with data protection? We are observing that more and more customers are looking for confirmation that they fulfil all legal requirements - not least in order to minimise liability risks.
To demonstrate GDPR compliance, structured approaches are required to verify and confirm compliance with these requirements. One proven method is the preparation of an independent assurance report. ISAE and SOC® audits (ISO 27001 vs. ISAE/SOC), for example, offer companies the opportunity to provide comprehensible evidence of the appropriateness and effectiveness of their data protection measures. Such audit reports not only create transparency and trust with customers and business partners, but also help to identify and minimise risks in the processing of personal data at an early stage - a key requirement of the new DPA.
Sustainable proof of data protection
Certifications such as ISO 27001 are established standards for information security management systems. In addition, data protection-specific certificates such as the European Privacy Seal (EuroPriSe) or GDPR certifications offer further opportunities to prove compliance with data protection requirements. ISAE or SOC® audit reports, on the other hand, offer more in-depth proof, as they show that technical and organisational security measures are not only effective at a certain point in time, but continuously. This is particularly important as customers and business partners increasingly demand confirmation that their data is being processed securely and that processors are fully complying with their obligations.
Although an audit report is not a legal requirement, it provides additional security and transparency with regard to compliance with data protection requirements. It shows that the company not only fulfils the basic legal requirements, butrequirements but also ensures ongoing compliance with these standards. At the same time, a comprehensive audit report sends a strong signal to the outside world: The company takes data protection seriously and willingly submits to an external audit.
