EU General Data Protection Regulation

Another innovation in the European Data Protection Regulation (GDPR), which will come into force in 2018, is that the level playing field principle will be firmly established. This means that data collected in the EU will be subject to the GDPR and not only to the data protection laws of the respective country, as was previously the case. This also has an impact on Switzerland.

Another requirement is the introduction of a mandatory "Data Protection Impact Assessment" for risky data processing models. According to the GDPR, affected companies must implement a process for a "Privacy & Security Assessment". Until now, this has taken place in organisations on a voluntary basis.

Non-compliance / non-implementation
The most important change, however, is the significant increase in fines. They can amount to up to four percent of the worldwide annual turnover in the case of significant violations of the GDPR! The non-fulfilment/non-implementation of the legal requirements of the IT Security Act and the GDPR harbours an enormously high risk potential - in commercial terms as well as for the reputation of a company.

If, in addition, there is a breach of the legal obligation under the Stock Corporation Act or the Limited Liability Company Act, the management of an organisation is directly confronted with the issue of compliance. There is also a risk of a compliance violation if the companies concerned do not implement the requirements of the IT Security Act in a timely manner, do not report security incidents, violate the GDPR regulations and/or do not report corresponding data protection violations.

Managing other compliance risks
The management of a company only fulfils its organisational obligation in the event of a corresponding risk situation if a compliance organisation has been set up that is designed to prevent damage and control risk. The type, size and organisation of the company, the regulations to be observed, the geographical presence and suspicious cases from the past are decisive for the scope of the compliance organisation.

Of particular importance in this regard is the implementation of a risk management system that is tailored to the needs of the organization and that can meet these requirements. Further liability risks arise - e.g. in Germany - from sections of the German Administrative Offences Act (OWiG). Specifically, Section 130 of the OWiG defines an organisation's supervisory obligations, by which a company-related offence or misdemeanour is deemed to have been prevented or made significantly more difficult by appropriate supervision:

• Careful selection of employees and supervisors
• Proper organization and distribution of tasks
• Adequate instruction and information of employees about their tasks and duties
• Sufficient supervision and control of employees
• Intervention against violations and, if necessary, sanctioning of violations

Therefore, it is not only for large corporations, but also for medium-sized companies, to implement a Compliance Management System (CMS), which first preventively, but if necessary also repressively, ensures the legality obligation according to the AktG or GmbHG and significantly reduces or completely avoids any liability for management boards or managing directors. The added value of such a CMS consists in the fact that it is not limited to the implementation of the IT security law, but extends holistically to all legal requirements. It also incorporates internal company guidelines, regulations and codes of conduct.

Management System Standards
In the area of management system standards, the requirements for the evaluation of risks and opportunities have also increased noticeably in recent times. External certifications, however, create high safety standards in the required companies. In many cases, it is now even mandatory for companies to provide evidence of certain certifications, for example when awarding contracts or issuing invitations to tender in the public sector.

Among other things, the following regulations - in this context - set essential certification requirements:

• Quality management according to ISO 9001
• Risk management according to ISO 31000
• Compliance Management System according to IDW PS 980 or ISO 19600
• Information security ISO/IEC 27001