What it’s all about: the data protection of the future

Digitization not only increases data volumes, but also the technological possibilities for analysing and processing existing data using Big Data, machine learning and artificial intelligence. The new Swiss Federal Act on Data Protection, which was adopted by the Swiss Parliament in autumn 2020, takes account of these developments. It replaces a law that dates back to 1992 — a time when the internet was still in its infancy. “The new Federal Act on Data Protection now applies wherever personal data is processed. For banks, whose business is data-driven and IT-managed, it will have an impact in many areas,” explains Jürg Frei, head of the framework project on data protection at PostFinance. Key elements of the new data protection legislation include:

• The new Federal Act on Data Protection exclusively covers the protection of natural persons, bringing it into line with relevant international standards.
• The obligation to provide information with regard to data subjects is being made much more comprehensive and includes the minimum information required.
• Additional personal data, such as genetic and biometric data with which a person can be uniquely identified, is considered particularly sensitive
• Companies with 250 or more employees are obliged to keep a record of their processing activities.
• Processing of personal data must be planned and implemented in such a way that it can be carried out in compliance with data protection regulations from the outset (privacy by design).
• There is now a right to data portability: individuals can request the release of their personal data in a common electronic format.
• Clear sanctions are set out which stipulate the individual criminal liability of the responsible persons. It is assumed that it is primarily the management bodies, such as members of the Board of Directors or the Executive Board, that could be affected by this, and possibly also the data protection officer in the case of improper action.

What the data protection of the future involves: the challenges

For PostFinance, careful handling of personal data is an obligation it has always fulfilled. While the financial institution has tended to work with solutions for specific issues in the past, the new Federal Act on Data Protection takes a holistic view. "These days, data is no longer simply available in a separate easy-to-manage data pool, but flows from application to application, is augmented where necessary and is kept available for further processing. We’re taking this into account by adopting a holistic approach to the issue,” explains Jürg Frei. One step in this direction, according to Frei, is the creation and maintenance of the record of processing operations required by law, which must contain all processing of personal data. This internal transparency forms the basis, for example, for drawing up data privacy statements that ensure external transparency too.

How PostFinance is preparing: a large-scale project on data protection for the future

PostFinance is preparing for the entry into force of the new Federal Act on Data Protection with a comprehensive data protection project and is defining and prioritizing appropriate implementation measures. According to Jürg Frei, a fundamental distinction must be made between the requirements of data protection and those of data security: data protection protects the right to privacy, especially in legal terms. However, this is not possible without data security. This defines how data is handled in organizations. Stephan Zimmermann, Head of Customer Security at PostFinance, the unit responsible for online security, card money security and anti-fraud, explains: “Data protection is all about transparency for customers. Not only do we have a duty to tell them what the data is collected and used for, but in certain cases they must also have the opportunity to consent to or reject the collection of data that’s not relevant to the business in question.” Frei points out that data security is all about ensuring the confidentiality, integrity and availability of data throughout the entire data lifecycle, from collection to deletion. This includes ensuring that no unauthorized persons have access to the data, for example, or that the data is not lost if system issues arise. 

What the new data protection law requires in specific terms — three examples

Why the new data protection is important for everyone: raising awareness

A particularly important piece of the puzzle when it comes to implementing data protection is the employees. “Data protection must become part of our DNA,” stresses Jürg Frei. “Employees should understand the fundamentals of data protection, know what is allowed and what is not, and also recognize and report when a sensitive situation arises. This is actually similar to bank client confidentiality.” For this reason, PostFinance has launched a comprehensive communication campaign with explanatory videos in which relevant parts of the Federal Act on Data Protection are explained. In a further step, it also plans to roll out more in-depth training at appropriate levels.

What the new Federal Act on Data Protection will do: the impact

According to Jürg Frei, the new Federal Act on Data Protection will bring much greater transparency with regard to the processing of personal data. This contributes to customers’ understanding that the new technological possibilities can benefit them too. It is also up to PostFinance to highlight the added value. For instance, specific, customized offers could be made to the customer without them having to endure a torrent of advertising in future. Jürg Frei sees no danger that the new data protection law will fundamentally restrict the use of technologies, such as Big Data, artificial intelligence or machine learning. “We are simply entering an era when data is handled more consciously. The Federal Act on Data Protection does not prevent personal data from being processed. It only requires that this is done according to the standards — in other words, with the necessary transparency and due diligence.” The importance that PostFinance attaches to data handling is highlighted by the scale of this framework project and the significance it has within the company.