Data protection - Swiss companies still have a long way to go
In Swiss companies, there is a discrepancy between rights and reality regarding data protection, as a 2018 study conducted by the ZHAW shows. According to the study, SMEs hardly ever provide enough resources, and 70 per cent of the surveyed companies have no data protection officers.
The study conducted by the ZHAW in 2018 on data protection in Swiss companies (published in German: Datenschutz in Schweizer Unternehmen 2018) shows that most of the surveyed companies consider data protection as highly important. However, the survey also indicates that Swiss SMEs provide hardly any resources for data protection. Nico Ebert, a ZHAW researcher and co-author of the study, summarises the results as follows: the expenses for data protection are often not budgeted, and 70 per cent of the Swiss companies surveyed lack data protection officers as well. Despite the fact that data protection is currently of great relevance due to the new EU General Data Protection Regulation (GDPR) and the related up-coming revision and tightening of the Swiss Data Protection Act, there are hardly any formalised procedures or training programmes in place regarding data protection. This indicates that Swiss companies have not yet started to systematically implement data protection.
To gain insights into how Swiss companies process the personal data of their clients, employees and other stakeholders, the Institute of Business Information Technology and the Center for Social Law at the ZHAW School of Management and Law surveyed 265 mostly small- and medium-sized companies from the German-speaking part of Switzerland. According to Michael Widmer, a ZHAW researcher and co-author of the study, the surveyed companies represent the SME-dominated business landscape of Switzerland well.
About half the companies are at least partially aware of the content of the current Swiss Data Protection Act but, according to Widmer, significantly less is known about the new EU General Data Protection Regulation. Consequently, only 25% of the surveyed companies consider themselves subject to the GDPR. This result does not correspond to the assessment of solicitors and other experts, as the ZHAW researcher points out. Experts expect that the GDPR will affect the majority of Swiss companies.
The discrepancy between the right to data protection and actual practice is particularly evident in the area of legal requirements. Around half of the surveyed companies find it difficult to assess the lawfulness of their handling in relation to data protection. The authors state that the companies do not really understand the extent to which they are supposed to implement data protection provisions. In addition, the ZHAW study shows that the companies require industry standards they can rely on as well as more clarity with respect to the relevance and implementation of the GDPR. The authors of the study conclude that unavailable financial resources, a lack of data protection officers as well as hardly any training courses indicate that the data protection measures being taken by the surveyed SMEs are not yet sufficient to do justice to the subjectively highly-rated importance of the topic. The study also shows that, in light of the revision and tightening of the Swiss Data Protection Act, not only the business sector, but also legislators, civil authorities and industry associations are called upon to provide the necessary framework conditions as well as support, especially for SMEs.