Since September 2023, the new Swiss Data Protection Act (nDSG) has been in force. Many SMEs are uncertain: what do we actually need to implement on the technical side? Is a privacy policy enough? Do we need a data protection consultant?
This article explains the technical requirements of the nDSG — without legal jargon, with concrete measures.
What the nDSG Requires Technically
Article 8 of the nDSG calls for “appropriate technical and organisational measures” to protect personal data. The Federal Council has specified these in the Data Protection Ordinance (DSV):
- Access control: Who has access to which data?
- Encryption: Is data protected during transmission and storage?
- Logging: Are access and changes logged in a traceable manner?
- Availability: Are there backups and recovery plans?
- Regular review: Are measures reviewed periodically?
The last point is crucial — and the one most often neglected.
“Appropriate” — What Does That Actually Mean?
The law does not require specific products or certifications. “Appropriate” means: proportionate to the risk and the size of the company.
A 20-person SME is held to different standards than a bank. But “we are too small, this does not apply to us” does not hold up. The nDSG applies to every company that processes personal data — and virtually every SME does (customer data, employee data, email addresses).
7 Concrete Measures Every SME Should Implement
1. Enforce encryption
All externally accessible services must use TLS 1.2 or higher. TLS 1.0 and 1.1 are outdated and considered insecure.
2. Review access rights
Who has admin access? Who can access personal data? Apply the principle of least privilege.
3. Keep software up to date
Outdated software with known vulnerabilities is a risk that is hard to justify in the event of an incident.
4. Regular vulnerability scans
The DSV requires “regular review” of protective measures. An automated vulnerability scan is the most efficient way to meet this requirement.
5. Document your backup strategy
Regular backups with tested recovery. Ransomware protection: at least one backup offline or immutable.
6. Plan your incident response
The nDSG requires notification to the FDPIC within 72 hours in the event of a data breach. A documented process is mandatory.
7. Update your privacy policy
Obligation to inform data subjects. Must be accessible on your website and when collecting data.
What Happens in Case of Violations?
The nDSG provides for fines of up to CHF 250’000 — and these are levied against the responsible individual, not the company. This means: managing directors and IT managers are personally liable.
In practice, the FDPIC (Federal Data Protection and Information Commissioner) will likely focus on cooperation and improvement first. But: in the event of an incident, it will be examined whether appropriate protective measures were in place. Those who cannot demonstrate any will have a problem.
Documentation Is Key
The nDSG does not require certification. But it does require that you can demonstrate you have taken appropriate measures.
Concretely, this means:
- Documented IT security measures
- Regular assessment reports (e.g. vulnerability scan reports)
- Documented improvements
- Traceable access rights
A professional scan report in your language is exactly the kind of evidence an auditor or the FDPIC wants to see.
Conclusion
The nDSG is not an IT security law in the strict sense. But it requires technical measures that align with IT security standards. Those who regularly assess their systems and document the results fulfil the majority of the technical requirements.
ExposIQ automatically generates nDSG-compliant assessment reports in German, French, Italian and English. The reports document assessed systems, identified vulnerabilities and recommended measures — exactly what auditors and regulators want to see.
