💡 If you haven't implemented TOMs yet, feel free to use Secfix template and tailor it according to your organization. You'll find the template under your Shared Drive or ask your Customer Success Manager.
Switzerland's updated Data Protection Act demands companies to bolster data security and assure data privacy optimally.
A challenge arises because technology evolves rapidly, potentially outdating specific measures. Consequently, the law advocates two foundational principles: Privacy by Design and Privacy by Default. These are executed through relevant technical and organizational measures (TOMs), which the law doesn’t explicitly detail.
The Swiss Data Protection Ordinance (DSV) offers more clarity on data security within the nFADP framework. Even though non-adherence might not lead to criminal sanctions, insufficient data security can invite grievances and supervisory authority interventions.
Key Principles:
Privacy by Design: Data protection should be integrated into the technology utilized, adhering to the latest proven standards. This encompasses encryption, anonymization, and access control.
Privacy by Default: Default configurations should ensure minimal data processing and sharing, requiring explicit user approval for additional data processing.
What's included in TOMs?
For Confidentiality:
Access control 1: Limit data access to necessary personnel.
Access control 2: Secure areas processing personal data.
User control: Ensure system users authenticate, preventing unauthorized usage.
For Availability & Integrity:
Data carrier & memory control: Guard against unauthorized access and modifications.
Transport control: Secure data during transfers.
Recovery: Restore data post incidents.
Availability & reliability: Ensure data's consistent availability, prompt malfunction reporting, and data safeguarding against system errors.
System security: Maintain up-to-date software and address vulnerabilities.
For Traceability:
Input control: Monitor data entries and modifications.
Disclosure control: Track shared data and its recipients.
Detection & elimination of data security breaches: Promptly detect and address data security breaches.
How to implement TOMs
When implementing TOMs, you should conduct a risk analysis to determine the protection level and decide which measures to prioritize.
Steps to Implement TOMs:
Appoint a coordinator, like a data protection advisor.
Assess vulnerabilities using the suggested measures, ensuring adherence to the Privacy by Default principle.
Collaborate with IT and relevant departments to enhance data security through technical (like encryption) and organizational measures (like training).
Prioritize and oversee the measure implementation.
Periodically review and update TOMs.
Striving for continuous data security enhancement is more crucial than achieving an elusive perfect protection. While criminal sanctions are unclear, it's vital to demonstrate an ongoing commitment to data security enhancement to address potential complaints.