What it’s all about: the data protection of the future

Digitization not only increases data volumes, but also the technological possibilities for analysing and processing existing data using Big Data, machine learning and artificial intelligence. The new Swiss Federal Act on Data Protection, which was adopted by the Swiss Parliament in autumn 2020, takes account of these developments. It replaces a law that dates back to 1992 — a time when the internet was still in its infancy. “The new Federal Act on Data Protection now applies wherever personal data is processed. For banks, whose business is data-driven and IT-managed, it will have an impact in many areas,” explains Jürg Frei, head of the framework project on data protection at PostFinance. Key elements of the new data protection legislation include:

• Only data of natural persons will be protected
• The obligation to provide information to data subjects will be more comprehensive
• Additional data, such as genetic and biometric data with which a person can be uniquely identified, is considered particularly worthy of protection
• Companies with 250 or more employees are obliged to keep records of their data processing
• Data processing must be planned and implemented to ensure data protection regulations are complied with (Privacy by Design)
• There is now a right to data portability: any person can demand the release of their personal data in a standard electronic format
• Clear sanctions are defined

What solutions will the data protection of the future call for: the challenges

For PostFinance, careful handling of personal data is an obligation it has always fulfilled. While the financial institution has tended to work with solutions for specific issues in the past, the new Federal Act on Data Protection takes a holistic view. “Today, the data is no longer simply available in a separate data pool, but flows from application to application or is augmented where necessary. We’re taking this into account by adopting a holistic approach to the issue,” explains Jürg Frei. One step towards this is the creation and management of internal records, required by law, which ensure transparency internally and where all data processing is logged. This in turn forms the basis for drawing up a privacy policy that creates transparency for the outside world.

How PostFinance is preparing: a large-scale project on data protection for the future

PostFinance is preparing for the entry into force of the new Federal Act on Data Protection with a comprehensive data protection project and is defining and prioritizing appropriate implementation measures. According to Jürg Frei, a fundamental distinction must be made between the requirements of data protection and those of data security: data protection protects the right to privacy, especially in legal terms. However, this is not possible without data security. This defines how data is handled in organizations. Stephan Zimmermann, Head of Customer Security at PostFinance, the unit responsible for online security, card money security and anti-fraud, explains: “Data protection is all about transparency for customers. Not only do we have a duty to tell them what the data is collected and used for, but in certain cases they must also have the opportunity to consent to or reject the collection of data that’s not relevant to the business in question.” Data security is about defining how a company ensures data is secure over its entire life cycle — from collection to deletion. In doing so, it also ensures no unauthorized persons have access to the data.

What the new data protection law requires in specific terms — three examples

Why the new data protection is important for everyone: raising awareness

A particularly important piece of the puzzle when it comes to implementing data protection is the employees. “Data protection must become part of our DNA,” stresses Jürg Frei. “Employees should understand the fundamentals of data protection, know what is allowed and what is not, and also recognize and report when a sensitive situation arises. This is actually similar to bank client confidentiality.” For this reason, PostFinance has launched a comprehensive communication campaign with explanatory videos in which relevant parts of the Federal Act on Data Protection are explained. In a further step, it also plans to roll out more in-depth training at appropriate levels.

What the new Federal Act on Data Protection will do: the impact

According to Jürg Frei, the new Federal Act on Data Protection will bring much greater transparency with regard to the processing of personal data. This contributes to customers’ understanding that the new technological possibilities can benefit them too. It is also up to PostFinance to highlight the added value. For instance, specific, customized offers could be made to the customer without them having to endure a torrent of advertising in future. Jürg Frei sees no danger that the new data protection law will fundamentally restrict the use of technologies, such as Big Data, artificial intelligence or machine learning. “We are simply entering an era when data is handled more consciously. The Federal Act on Data Protection does not prevent you from processing data. It only requires that this is done according to the standards — in other words, with the necessary transparency.” The importance that PostFinance attaches to data handling is highlighted by the scale of this framework project and the significance it has within the company.