Are fiduciary companies allowed to collect data from their potential and current clients via the website? How can your team meet increased compliance requirements for selected projects? What do you need to consider when choosing fiduciary software to ensure that all data is protected in the best possible way? This blog post will give you an overview of the specifics of data protection and compliance in the digital age.
According to the Gabler Wirtschaftslexikon, compliance describes the “observance of laws, rules and standards”. Depending on the industry or project, companies have higher compliance requirements because they work with particularly sensitive or vulnerable individuals and their data. In the health or social welfare sector, for example, it is essential that all data processors strictly adhere to compliance and data protection requirements. What does this mean for trust companies?
Fiduciaries must protect the personal data they process and possibly store from unauthorised access, leakage and loss. This applies not only to the data of clients and interested parties, but also within the company. Digitalisation poses new challenges for fiduciary companies in this respect. On the one hand, digital documents with sensitive data can be better protected today by means of passwords and access controls than physical documents in a paper folder. On the other hand, cyber attacks by international hacker gangs are on the rise. In recent months, for example, attacks on Swiss companies, organisations and institutes by the ransomware group Lockbit have made headlines. Ransomware is a malicious programme that restricts or prevents access to data and systems. The attackers demand a ransom for the release.
Basic versions of security software are no longer sufficient today
Because data is arguably the most valuable currency in the digital era and cyber criminals are constantly evolving their attack strategies, fiduciary companies must also adapt their approaches to cyber security and data protection. The basic version of standardised antivirus software is usually no longer sufficient to defend against today’s cyber threats and meet the highest data protection standards.
Instead, protect your trust’s workloads, data and applications across multiple domains. Document the measures and processes you have taken so that you can submit them to the Federal Data Protection and Information Commissioner (FDPIC) if required as part of your statutory accountability. Also sensitise your employees to the topic of cyber security. Sometimes cyber criminals do not identify security gaps in applications, but in the process flow or in the behaviour of employees.
Behavioural tips: How you and your team can minimise cyber risks
Your team should store sensitive data exclusively on password-protected platforms and systems. Do not give out login details to external people. If you are asked by colleagues or the IT team to give out a password, make sure that this person is actually behind the request. Contact them through an additional channel. Define strict access rights for your systems. For data protection and compliance reasons, you should also always inquire about the data storage location before implementing new apps and tools for work organisation or communication. Many software companies have their headquarters in the USA, where access to company data is possible without judicial control by means of the Patriot Act. In Switzerland, on the other hand, this is not permitted.
Extra tip: With data protection-compliant fiduciary software such as Accounto, you can store and process all data on a secure platform. You define the access rights yourself, so you have complete control over who can view and edit data.
What data is considered particularly worthy of protection in Switzerland?
Wages, national insurance numbers, social welfare measures, relationship status and contributions to political parties: As a fiduciary, you work with sensitive data every day. Personal data on religious, ideological, political or trade union views and activities, as well as data on health status, sexual orientation and receipt of social assistance are considered to be particularly worthy of protection under the Swiss Data Protection Act. A breach of data security in these cases can have serious consequences for the person concerned. With the revised Data Protection Act (revDSG), which came into force on 1 September 2023, genetic and biometric data are additionally included in the definition of data requiring special protection. According to the Swiss State Secretariat for Economic Affairs (SECO), the revDSG should guarantee the Swiss population “adequate data protection adapted to the technological and social changes of our time”. The compatibility of Swiss law with EU law, in particular with the General Data Protection Regulation (GDPR), is the second major concern of the new law.
This is what you must bear in mind when collecting personal data via your website
The revDSG concerns the acquisition, storage, retention, use, modification, sharing, archiving, deletion and destruction of personal data. In the event of a deliberate violation of the Data Protection Act, fines of up to CHF 250,000 may be imposed. In addition to financial sanctions, data protection violations can also lead to permanent loss of reputation and trust on the part of customers, interested parties and partners.
One of the most important changes introduced by the revised Data Protection Act (revDSG), which has been in force since September 2023, is an extended duty to inform: Before obtaining any personal data – and no longer only so-called data requiring special protection – you must inform the data subject in advance. To this end, you should share a privacy policy on your website and inform visitors that their data will be collected and possibly processed. You need a cookie banner with which you obtain the consent of the website visitors to the data processing. Formulate the banner content in such a way that it is easy to understand and unambiguous.
Your clients, current and former employees and all possible data subjects may ask at any time what data your fiduciary company is processing about them within the framework of the right to information enshrined in the revDSG. They may also request the release or deletion of data. When deleting data, you must comply unconditionally with the legal obligation to retain data.