The New Federal Act on Data Protection (nFDAP) is set to come into effect on September 1, 2023. This important legislative change brings forth various obligations.
Data privacy entails more than just reviewing and updating contracts and privacy notices. To shed light on the matter, we interviewed Matthieu Vetter, an Interim Legal consultant and data privacy specialist. In this interview, he shares his thoughts on achieving compliance and discusses the benefits of flexible legal support for in-house legal teams.
Visit Interim Legal’s career page today to get started
Dear Matthieu, please introduce yourself.
I am a bi-national French and Swiss with ten years of experience in Switzerland as an in-house counsel and data protection officer for multinational IT companies. Prior to this, at the beginning of my career, I spent five years as an IT purchaser in the IT & telecommunications sector.
In the first half of 2023, I worked with Interim Legal as a Senior Legal Counsel for a multinational media group, a role in which I helped enhance and design data privacy processes.
My interest in IT and data privacy began back in 2008 when I earned a master’s degree in law with a specialization in IT law from the University of Strasbourg. Since then, I have pursued various continuing education programs in law, data privacy, and cybersecurity, both in Switzerland and abroad.
As a consultant for Interim Legal, what benefits does our model of flexible legal support offer in-house legal teams seeking to integrate data privacy advice?
In many instances, achieving compliance in data privacy can be both resource-intensive and necessitates expertise beyond traditional legal work. The nFADP introduces impactful changes for companies, such as the expansion of the scope of sensitive personal data, the new concept of profiling, a reinforcement and extension of the duty of information and of data subjects’ rights.
The flexible legal model offered by an alternative legal service provider (ALSP) such as Interim Legal enables in-house legal departments to add temporary, specialized legal and compliance professionals to their teams who can help drive such data privacy projects, from the gap analysis and the definition of the compliance program to the implementation of the data privacy compliance requirements.
Moreover, integrating a resource through an ALSP with prior experience in managing such projects can prove advantageous for in-house legal teams. Project management skills, effective communication, and the ability to collaborate with other departments are crucial factors in ensuring success.
From your view, what are the biggest risks for in-house legal departments currently seeking to implement the nFADP?
One significant risk is the rush to update documentation without first ensuring that a comprehensive inventory of the company’s data processing activities is available. I am convinced that data privacy involves more than just reviewing and updating policies, processes, contracts, and privacy notices. While these aspects are crucial, they must accurately reflect reality, which requires a complete and precise view of all existing data processing activities.
With the introduction of the nFADP, companies will have the obligation to create and maintain a record of processing activities, documenting at least a minimum set of information about personal data flows and their purposes. This record serves as the foundation for achieving data privacy compliance – much like the foundation of a house: if not properly built, the house will never be stable. The same rationale applies here. For example, the information in this record is critical for complying with the new, extended duty of information.
Best practice suggests that this record is usually developed through collaboration with each department within the company, such as marketing, sales, HR, IT and every department processing personal data. Each department lists and provides relevant information about its personal data processing activities: the types of personal data collected and processed, the purposes, the technical and organizational measures implemented to ensure security, the data retention periods, storage locations, recipients and their locations, etc. If such a record already exists, it must be ensured that it is accurate, up-to-date, and complete.
It is worth noting that an exception for keeping a record of processing activities may apply to small and medium enterprises with fewer than 250 employees, so long as the risk of harm to the data subjects is limited. Even in cases where this exception applies, it is advisable to keep a register of processing activities. Indeed, the absence of a complete and accurate overview of all processing activities would lead to other compliance problems; for example, it would be very difficult to comply with other remaining obligations, such as the duty of information or to respect the rights of data subjects.
As the deadline for regulatory compliance with the nFADP approaches, how should in-house legal teams think about the implementation of this new regulation at this stage?
First, I think that it is never too late to achieve compliance or start working towards this goal. However, the sooner, the better; achieving data privacy compliance requires following a comprehensive process: assessing the current status, conducting the corresponding gap analysis, defining and implementing appropriate actions.
If the organization hasn’t already done so, I think that a legal department should first seek expert knowledge and inform the management in order to secure its support, both in terms of messaging and allocating resources. Establishing clear project governance and conducting internal training sessions are also essential steps to complete. Simultaneously, focus should be put on creating or updating the record of processing activities; determining if any of these processing activities qualify for the specific concept of profiling would also be necessary. Based on this, data privacy notices and contracts should be adapted to comply with the enhanced duty of information; similarly, processes to meet other obligations, such as handling data subjects’ requests and notifying authorities about data breaches, need to be put in place. Additionally, processes to deal with future data processing activities should be defined, for instance for integrating the data privacy by design and default requirement, and for determining when and how a data protection impact assessment should be conducted. Compliance with requirements for international data transfers and processing should also be checked.
This list is by no means exhaustive, and the actual work may vary depending on the organization type, geographical scope, compliance with other sectorial or regional laws such as the EU GDPR, and the company’s data privacy maturity.
Once an in-house legal or compliance team has integrated the nFADP, what are some of the crucial steps needed to take in order to ensure continued compliance?
It is crucial to consistently work on maintaining compliance. From my perspective, achieving data privacy compliance is an ongoing project goal and by no means a one-time activity. Experience has shown that processing activities within a company are continually changing, necessitating updates to the record of processing activities whenever a new activity is introduced or replaced, and adjusting all compliance requirements accordingly. Failing to do so would undoubtedly result in an inaccurate inventory over time, posing the risk of nullifying the benefits of previous work. To avoid it, I think that it is vital to clearly assign this responsibility to a specific person within the company.
Finally, documenting every step taken to achieve compliance is essential. This approach enables the company to internally retain process knowledge on the one hand and to demonstrate compliance on the other.
Disclaimer: The views and opinions expressed in this interview are solely those of Mr. Vetter (the interviewee) and do not represent the views or opinions of any organization or entity. The information provided in this interview is for general informational purposes only and should not be construed as legal advice or a substitute for professional legal counsel. Laws and regulations regarding data protection and privacy may vary based on specific circumstances and jurisdictions. Neither Mr. Vetter (the interviewee) nor any other parties involved in the interview assume any liability for actions taken based on the information provided herein.
Visit Interim Legal’s career page today to get started