Updated or new regulations such as the Data Protection Act (CH-DSG), Electronic Identity (CH-e-ID), Federal Act on Electronic Patient Dossiers (CH-EPDG) and also European / international laws and standards such as the General Data Protection Regulation (EU-DSGVO) / General Data Protection Regulation (EU-GDPR) have demanding and, depending on the business model (e.g., regarding the handling and use of person-sensitive data), profound effects. Depending on the business model (e.g., with regard to the handling and use of personal sensitive data), these have a profound impact and require measures to be taken as early as possible in the organization / processes / ICT processes, right through to the company and ICT strategy. With the EU-DSGVO / GDPR, this is the case by May 2018 at the latest.
By means of rules, the processing of personal data (also data sovereignty, data self-determination or co-determination, data deletion, privacy by design, privacy by default) by private companies and public bodies is to be standardized throughout the EU. On the one hand, this is intended to ensure the protection of personal data within the European Union, and on the other hand, to guarantee the free movement of data within the European Single Market. From my point of view, it is self-explanatory that Switzerland, a landlocked country, cannot and must not close itself off within the framework of its own regulation. Finally, Switzerland must also orient itself to Europe and international standards within the framework of Industry 4.0 / digitalization and only by doing so can it benefit from adaptable innovations from the latest developments in areas such as cyber security, privacy, clouds, AI, big data, and data science in global competition.
What this means in practice is currently experiencing an inflationary range of opinions. The following are some personal opinions:
Actually, data protection can be understood as a high-wire balancing act and tightrope walk between business requirements in times of digitalization and the degree of fulfillment of increasing bureaucracy. The question of the safety net or balancing tool (e.g., of strategy, technology and processes) is justified.
Although at present no sufficient long-term data or empirical values are available, one can actually take or announce at present only another opinion or prepare and gradually introduce in “secure minded best practices” process and technology design. In doing so, one should also maintain a certain flexibility for the assumed dynamics of further development in the corresponding overall ICT architecture.
Currently, the aspects of the required data protection officer DPO and the conceivable data breaches for risk minimization (“data breach notification”) / data protection impact assessments (becoming a sub-area of “risk management”, internal control systems ICS or “incident response management”) are certainly among the first practical priorities. In the official legislative consultations on the CH-DSG, CH-e-ID, CH-EDPG on the part of the Federal Government (in which I participated with great personal and entrepreneurial interest in task forces on the part of isss.ch), a corresponding adaptation or necessary orientation to the European legislation or international standards is foreseeable. Regardless of this (fortunately, but only at least…) the obligation to comply with the CH-OR for the application of “fidelity and due diligence” when dealing with data of customers and business partners remains unchanged.
In view of the comprehensive revision and future orientation of privacy / data protection, it is of course recognizable that in principle ALL companies, industries, suppliers, providers are affected and all (must) become “high-wire dancers” (hopefully with said safety net or balance tool). Specifically mentioned are also healthcare (eHealth, EPDG), schools, universities, human resources (HR analytics, recruiting, assessment, work analytics), platform economy (e.g. CRM, user behavior, purchasing behavior, social media / engagement analytics) and generally the “digital society”.
Industry 4.0 and the corresponding digitalization demand integrated and robust processes as the backbone of integrated collaboration – also based on ICT systems / clouds and interfaces with a focus on maximum, auditable attack and operational security with maximum data protection / privacy aspects.
Product and method-neutral approaches / questions, but based on regulations / industry standards and adaptable “best practices” for each company / project size should be comprehensively / understandably demonstrated and appropriately introduced. And this should be automated and integrated in such a way that the affected user, business partner or customer is not disturbed or restricted by this, but is aware of the relevant effects, is informed and receives and retains transparent control if required. Auditable process cycles under the aspects “identify + classification” / “labeling” / “protection” / “share” / “monitoring + logging” / “report + auditing” should be observed.
The “platform capitalism” and the “massive interconnection” in the context of Industry 4.0 / digitalization and new universes such as IoT, Big Data, Data Science, Artificial Intelligence AI, “Cyberphysical Systems” leave behind concept and security issues which must then also be “managed” and “audited”.
A pure “Swiss data protection” in regulation / standardization is to be actively prevented, banishes the future abroad and adaptable innovations and developments (also orders) are lost abroad otherwise.
In the context of the “National Strategy for the Protection of Switzerland against Cyber Risks NCS” (Fridel Rickenbacher is also a player), adaptable “outcomes” (of the previous 16 adopted and upcoming measures) will also be expected from the critical infrastructures such as power plants, power supply, air traffic, transport, hospitals, large buildings. The second edition of the NCS is currently being developed and more details on this should be available by the end of 2017.
Since last year, ongoing “digitization tests of Swiss laws” by SECO Bern (see interview by Fridel Rickenbacher with Dr. Eric Scheidegger) form a further basis for upcoming standards and leaflets or even standardizations in all areas.
“Open Systems / Open Standards” demand as open as possible (cross-connect, transparency) but at the same time as secure as possible collaboration of the actors (people and processes) as a contradiction of as isolated as possible, closed systems with as maximum security levels as possible.
A “security minded” model also serves as a sensitization / mindset for maximum security orientation and auditability in system architectures with all actors (people – processes – technology – considering physical and logical security).
An intelligently orchestrated, fully integrated overall ICT architecture with maximization of attack and operational security will become a supporting pillar for Industry 4.0 / new business models or, in this use case, for achieving the highest “maturity level” / level of maturity of existing or new “business models” / business models.
The future will be characterized by (hopefully) secure minded “Business Model Maturity Empowering” or “Data Monetization” of all “Business Models” / business models by means of ICT, Big Data, AI, Data Science.
The term “Data Monetization” or simply translated “Bringing data to success and making money” shows a challenging way (or even contradiction?!) of disciplines (high wire act as said…) like “Privacy & Security”, “Information Ethics” or ideas / concepts / visions of the “digital society” or also “Open Data”.
