Compliance requirements, changing data protection laws and new ways of working, such as home working, present many challenges to Nicolas Passadelis in his role as lead Data Protection Officer at Swisscom. In this interview, he gives us an insight.
Text: Andreas Heer, Pictures: Swisscom
30 September 2022
The data processed by Swisscom each day is subject to many different legal requirements. Furthermore, the risks associated with data processing vary greatly. The challenge is to meet all of these requirements without hindering the technical and operational processes. We have therefore developed a comprehensive range of technical, operational and personnel measures to help us to choose the best possible solution in each individual case.
Infrastructures and data must be given optimal protection as a matter of principle. Compromises cannot be justified to our customers. They trust us with their data and expect that this data is always effectively protected with us. However, it is clear that certain data and infrastructures require even greater protection. It is therefore imperative that we likewise meet this need.
Data must always be protected effectively. It makes no difference whether that data is processed by us or by our partners. As the customer relationship is usually with us, we are also responsible for ensuring that our partners protect that data. Our partners must therefore be willing to accept our requirements.
At present, the human factor still plays a significant role. As virtually all of us work with data on a daily basis, we need to learn how to handle data with care at all times. That means that we have to know the data that we work with as well as we know the technical resources that we need. In addition, we need to have a sense of the risks inherent in the processing of certain data. This can be challenging in some cases, but there is no alternative. Basically, we need to handle data like money. We hardly ever make any mistakes now.
Generally speaking, the conditions under which data is processed should not matter. Protection must always be guaranteed. But the fact is that new ways of working have a different risk profile compared to conventional, office-based work. This risk profile requires different measures. For instance, it may be necessary to impose technical restrictions on or even prevent the processing of certain data in less trusted countries.
We established a comprehensive schedule for the implementation of the new Data Protection Act two years ago, and we will be ready on 1 September 2023. However, no large-scale amendments to our management system are needed, as there was already an effective data protection law in place. Moreover, in some areas, Swisscom is subject to the EU’s General Data Protection Regulation (GDPR) and there are also many requirements that arise from our contracts. However, the overhaul of the act provides a good opportunity for us to review our management system and to improve it where necessary.