Although not entirely new, the role of DPO has seen a rapid rise in visibility; what do you think is behind this?
That’s right. In fact, the term “Data Protection Advisor” already exists in the Swiss Data Protection Act (DPA) of 1992 (the law that currently applies), but it was only an option. However, it was European law in 2018, with the introduction of the General Data Protection Regulation (GDPR), which reinforced this role towards organizations that process personal data of residents within the European Union.
Aequivalent is ISO 27001 certified, how important is this certificate in your role? Was it mandatory for Aequivalent to pass the certification?
Certification in the field of data processing is never an obligation in Switzerland, unlike in other countries where it is the case in the medical field, for example. It is purely a voluntary and continuous improvement process. Otherwise, ISO27001 is a tool that can be extremely useful, being an information security management system, because the law remains very abstract when it prescribes that “the organizational and technical measures” must be implemented.
How can an organization prepare for a data breach and does this happen at Aequivalent?
For my part, I would say that it all relates to management’s ability to be aware of the financial, legal and reputational risks that such an event can entail. This is because safety is a question of corporate culture, but also of budget. At Aequivalent, a lot of questions to raise doubts arose when, very early in our existence, we announced that we would be entering an ISO27001 certification process – a long and treacherous road. For our management, there was however no doubt because “data protection is an integral part of Aequivalent’s core business. Please note that there will be no promotions handed out as a result of this interview.
What does the future of data protection in Switzerland look like?
This is an excellent question in view of current events. You may have read about it in the last few days, but the Council of States and the National Council have finally reached an agreement to update the current law, which will soon celebrate its 30th anniversary. Generally speaking, we are moving in the right direction because it was unlikely that Switzerland would keep its adequacy towards the European Commission in view of the standards imposed by the RGPD. I invite you to read my comment on the bill that has just been voted, put into practice in the field of human resources.
What about public awareness so far? Is there a reaction and interest in the protection of personal data?
Despite several cases of leaks of personal data, for instance the Swisscom affair where at least 800’000 customers were concerned, the general opinion does not seem to be any more shocked either. Today we are evolving in a context where users are far more interested in features to benefit their private life, either because of a lack of knowledge and awareness (especially with regard to the monetary value of this data), or because of an attitude of laziness (we very often accept all cookies by default, without configuring).
In your opinion, what is the biggest challenge for a DPO?
To pick just one, a DPO can sometimes be seen as a kind of internal auditor, or at least someone who is looking to slow down operations. So the challenge lies in communicating with different departments, different backgrounds, in order to get a better understanding of what is at stake. Unfortunately, as change management training shows, some people are automatically resistant and despite the efforts made, the dialogue remains complicated. But here again, the support of management will be decisive.