Since September 2023, the new Swiss Data Protection Act (nDSG) has been in force. Many SMEs are uncertain: what do we actually need to implement on the technical side? Is a privacy policy enough? Do we need a data protection consultant?<\/p>\n
This article explains the technical requirements of the nDSG \u2014 without legal jargon, with concrete measures.<\/p>\n
Article 8 of the nDSG calls for “appropriate technical and organisational measures” to protect personal data. The Federal Council has specified these in the Data Protection Ordinance (DSV):<\/p>\n
The last point is crucial \u2014 and the one most often neglected.<\/p>\n
The law does not require specific products or certifications. “Appropriate” means: proportionate to the risk and the size of the company.<\/p>\n
A 20-person SME is held to different standards than a bank. But “we are too small, this does not apply to us” does not hold up. The nDSG applies to every company that processes personal data \u2014 and virtually every SME does (customer data, employee data, email addresses).<\/p>\n
1. Enforce encryption<\/strong> 2. Review access rights<\/strong> 3. Keep software up to date<\/strong> 4. Regular vulnerability scans<\/strong> 5. Document your backup strategy<\/strong> 6. Plan your incident response<\/strong> 7. Update your privacy policy<\/strong> The nDSG provides for fines of up to CHF 250’000 \u2014 and these are levied against the responsible individual, not the company. This means: managing directors and IT managers are personally liable.<\/p>\n In practice, the FDPIC (Federal Data Protection and Information Commissioner) will likely focus on cooperation and improvement first. But: in the event of an incident, it will be examined whether appropriate protective measures were in place. Those who cannot demonstrate any will have a problem.<\/p>\n The nDSG does not require certification. But it does require that you can demonstrate you have taken appropriate measures.<\/p>\n Concretely, this means:<\/p>\n A professional scan report in your language is exactly the kind of evidence an auditor or the FDPIC wants to see.<\/p>\n The nDSG is not an IT security law in the strict sense. But it requires technical measures that align with IT security standards. Those who regularly assess their systems and document the results fulfil the majority of the technical requirements.<\/p>\n ExposIQ automatically generates nDSG-compliant assessment reports in German, French, Italian and English. The reports document assessed systems, identified vulnerabilities and recommended measures \u2014 exactly what auditors and regulators want to see.<\/p>\n Try it free for 14 days.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":" Since September 2023, the new Swiss Data Protection Act (nDSG) has been in force. Many SMEs are uncertain: what do we actually need to implement on the technical side? Is a privacy policy enough? Do we need a data protection consultant? This article explains the technical requirements of the nDSG \u2014 without legal jargon, with … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_focus_keyword":"nDSG IT security SME","rank_math_title":"nDSG and IT Security: What Swiss SMEs Really Need to Do","rank_math_description":"The new Swiss Data Protection Act requires technical measures. 7 concrete steps every SME should implement \u2014 explained without legal jargon.","rank_math_robots":"","rank_math_canonical_url":"","rank_math_primary_category":"","footnotes":""},"categories":[8],"tags":[],"class_list":["post-916","post","type-post","status-publish","format-standard","hentry","category-it-sicherheit","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33"],"_links":{"self":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/916","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/comments?post=916"}],"version-history":[{"count":1,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/916\/revisions"}],"predecessor-version":[{"id":926,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/posts\/916\/revisions\/926"}],"wp:attachment":[{"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/media?parent=916"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/categories?post=916"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/exposiq.ch\/en\/wp-json\/wp\/v2\/tags?post=916"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nAll externally accessible services must use TLS 1.2 or higher. TLS 1.0 and 1.1 are outdated and considered insecure.<\/p>\n
\nWho has admin access? Who can access personal data? Apply the principle of least privilege.<\/p>\n
\nOutdated software with known vulnerabilities is a risk that is hard to justify in the event of an incident.<\/p>\n
\nThe DSV requires “regular review” of protective measures. An automated vulnerability scan is the most efficient way to meet this requirement.<\/p>\n
\nRegular backups with tested recovery. Ransomware protection: at least one backup offline or immutable.<\/p>\n
\nThe nDSG requires notification to the FDPIC within 72 hours in the event of a data breach. A documented process is mandatory.<\/p>\n
\nObligation to inform data subjects. Must be accessible on your website and when collecting data.<\/p>\nWhat Happens in Case of Violations?<\/h2>\n
Documentation Is Key<\/h2>\n
\n
Conclusion<\/h2>\n