Swiss FDPIC Publishes New Guidelines on Data Breaches

Key Takeaways

• Report high-risk breaches to FDPIC: Data controllers must notify the Federal Data Protection and Information Commissioner (FDPIC) when a breach is likely to pose a high risk to the rights of individuals.
• Details matter in breach reports: Reports to the FDPIC should include a clear description of the breach, its impact, and corrective actions taken or planned.
• Voluntary reports are encouraged: If a breach is not high risk but may have significant public interest, voluntary reports to the FDPIC can be beneficial.
• Inform affected individuals: When a breach affects individuals’ rights, controllers must inform them in simple, clear language, outlining the risks and necessary actions.

Deep Dive

A data breach is never just a technical mishap, it’s a disruption that threatens both trust and personal rights. For those tasked with managing personal data, the Federal Data Protection Act (FADP) lays out clear—but complex—guidelines on how to handle such breaches. Article 24 of the FADP is especially crucial, detailing the responsibilities of data controllers when security incidents occur. Here’s a rundown of how data controllers can navigate these waters, ensuring they’re both compliant and proactive.

So, the worst has happened—a data breach. But don’t panic. The first step for a data controller is figuring out the scope of the breach. Specifically, does it pose a "likely high risk" to the individuals whose data has been compromised? If the answer is yes, there’s no time to waste—report the breach to the Federal Data Protection and Information Commissioner (FDPIC) as soon as possible.

But what exactly does that report need to include? Think of it like a briefing to a colleague—you need to be clear, detailed, and honest:

• What happened: Describe the breach in simple terms. Was it a technical fault? Human error? Or something more malicious?
• Scope and impact: How big is this? What kind of personal data was affected, and how might this harm the individuals involved?
• Next steps: Outline what’s already been done to contain the damage and what further actions are planned.

These details help the FDPIC assess the situation and guide you through the next steps.

Voluntary Reporting

Not every breach will immediately meet the threshold for mandatory reporting. But that doesn’t mean you should stay quiet. Voluntary reports allow you to alert the FDPIC about incidents that, on paper, don’t seem to pose a "high risk" but could still have significant public interest—especially if the breach affects a large number of people.

It’s a bit like notifying a neighbor about a small fire in your backyard, even if it hasn’t spread yet. The FDPIC will review your voluntary report and determine if further action is needed, whether that’s informing the public or simply asking you for more details.

Keeping Data Subjects in the Loop

One of the more challenging aspects of managing a data breach is deciding how to communicate with those affected. Data controllers have a legal responsibility to inform the affected individuals if the breach poses a threat to their rights—especially if they need to take action to protect themselves. So, if people need to change passwords, monitor accounts for fraud, or be on the lookout for phishing emails, it’s your job to make sure they’re aware.

If the breach is severe, or the number of affected individuals is large, the FDPIC may even step in to ensure the public is notified. But even in those cases, data controllers usually take the lead—after all, it’s your data and your responsibility to protect it.

This notice should be clear, simple, and free of jargon. Use language that everyone can understand, focusing on:

• What happened: Give a simple explanation of the breach.
• What’s at risk: Explain how it could affect the individual.
• What they can do: Guide them on steps they can take to minimize harm.

Don’t leave them guessing. The goal is transparency—help people understand the situation so they can make informed decisions.

Assessing "High Risk": What Does It Really Mean?

The concept of "likely high risk" is at the heart of the FADP’s reporting requirements. But how do you know when a breach meets this bar?

Here are a few things to consider:

• Severity: Does the breach involve sensitive data—like health records, financial details, or anything that could lead to identity theft? The more sensitive the data, the higher the potential risk.
• Intent: Was this a mistake, or was it a deliberate attack? A breach caused by malicious intent usually means a higher risk for individuals.
• Exposure: How easy is it for someone to use the stolen data to identify and harm people? If the data is encrypted or anonymized, the risk is significantly lower.

Also, keep in mind that you don’t have to wait until everything is fully assessed before reporting. If you have reason to believe the breach could cause significant harm, it’s better to err on the side of caution and report sooner rather than later.

What Happens If You Don’t Report?

Here’s the tough reality, if you fail to report a breach that should have been reported under the FADP, the FDPIC can come knocking. While it’s not a criminal offense, you could face administrative sanctions or be required to take corrective actions. In the worst case, you might even be publicly called out for not fulfilling your duties. So, when in doubt, report early—and report thoroughly.

In the world of data protection, transparency is your best tool. Both the FDPIC and affected data subjects need clear, honest communication about the breach and its consequences. If you’re proactive, transparent, and detailed in your reporting and notifications, you’ll not only stay compliant with the FADP but also help restore trust with those whose data you’re responsible for protecting.

At the end of the day, handling a data breach is about more than just following legal requirements. It’s about doing the right thing for the people whose lives can be impacted. Make sure you’re ready to act, report, and inform in a way that reflects both your legal obligations and your moral responsibility.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.