Every company processes personal data of employees, customers or service providers. This is why it is crucial for companies to have a robust data protection infrastructure in place.

Start with a review of the applicable legislation. Develop your data protection policies, e.g. for your website, employees, customers and products/services. Ensure adequate data security is in place for any associated risks. Develop data processing agreements or any necessary documents if you process personal data yourself, on behalf of someone else or if you outsource the processing to a service provider.

This depends on the countries where your data is processed. If they are still within the EEA/EU, adequate protection is generally guaranteed. However, if data is exported to a country without adequate protection, this may be punishable under the revised data protection act. The best thing to do is to get an overview of where you transfer data to and review the countries which do not offer adequate data protection. Check whether the data can be processed without any transfers, whether the service provider can be changed, or whether other measures can be put into place such as standard contractual clauses (SCCs).

This is a tricky question. GDPR is not necessarily applicable in Switzerland as we have our own Data Protection legislation. Nevertheless, certain processing is likely to be in scope of GDPR, for example, if you are located or have operations in the EU/EEA, have customers in the EU/EEA to whom you provide products and services or have monitoring of individuals in the EU/EEA. If the above does not apply to you, it is likely that you are only under the scope of the Swiss Data Protection legislation. There are however exceptions which should be reviewed on a case-by-case basis to understand the applicability of GDPR.

Prevention starts with a strong protection infrastructure which is your first line of defence to reducing the risk of data breaches. This includes a certain structure and organisation that defines and documents certain processes and framework conditions (for example, policies for handling personal data in your company, data breach policy and incident plan or processing contracts with your service providers). However, these structures also need to be put into practice - you achieve this by raising awareness and training your employees. Of course, preventing data breaches also involves security, which you can address using appropriate technical and organisational measures (e.g. encryption, authorised access, etc.). So if a data breach was to occur, you have the right tools and processes in place to respond quickly and effectively.

That depends on whether you are in scope of GDPR (EU/EEA) or the revised Swiss Data Protection Act. GDPR does not penalise individuals, but rather companies (though with higher fines). In Switzerland, individuals can be fined up to CHF 250’000 for intentional breaches of the revised Data Protection Act, such as breaches of the duty to inform or exercise due care. Companies can be fined up to CHF 50’000 if identifying the guilty party would involve a disproportionate effort.