Nicolas Passadelis interview

«We need to handle data like money.»

Compliance requirements, changing data protection laws and new ways of working, such as home working, present many challenges to Nicolas Passadelis in his role as lead Data Protection Officer at Swisscom. In this interview, he gives us an insight.

Text: Andreas Heer, Pictures: Swisscom
30 September 2022

Nicolas Passadelis is Head of Data Governance and lead Data Protection Officer at Swisscom.

1. What are the challenges you face in your day-to-day work?

Nicolas Passadelis: In recent years, the complexity of the telecommunications and IT sectors has continued to increase. At the same time, the legal and regulatory requirements for data processing are becoming progressively tougher. In this environment, the implementation of data processing requirements is quite challenging.

2. What is the compliance framework at Swisscom?

Swisscom operates a management system for data protection and confidentiality and, of course, for data security. In doing so we follow internationally recognised standards, such as a range of ISO standards. This management system is an integral part of our group-wide compliance management system. We have also developed a data ethics framework, which helps us to resolve ethical issues relating to data processing or the use of new technologies.

How companies are dealing with the challenges of balancing compliance, data protection and business.

3. What data protection challenges does Swisscom face? And how do you tackle them?

The data processed by Swisscom each day is subject to many different legal requirements. Furthermore, the risks associated with data processing vary greatly. The challenge is to meet all of these requirements without hindering the technical and operational processes. We have therefore developed a comprehensive range of technical, operational and personnel measures to help us to choose the best possible solution in each individual case. 

4. How do the classification as ‘critical infrastructure’ and the statutory provisions for telecommunications impact compliance and data protection requirements?

Infrastructures and data must be given optimal protection as a matter of principle. Compromises cannot be justified to our customers. They trust us with their data and expect that this data is always effectively protected with us. However, it is clear that certain data and infrastructures require even greater protection. It is therefore imperative that we likewise meet this need.

5. What do our compliance requirements mean for our partners, such as suppliers or IT partners for SMEs?

Data must always be protected effectively. It makes no difference whether that data is processed by us or by our partners. As the customer relationship is usually with us, we are also responsible for ensuring that our partners protect that data. Our partners must therefore be willing to accept our requirements.

6. What role does the human factor play in data protection?

At present, the human factor still plays a significant role. As virtually all of us work with data on a daily basis, we need to learn how to handle data with care at all times. That means that we have to know the data that we work with as well as we know the technical resources that we need. In addition, we need to have a sense of the risks inherent in the processing of certain data. This can be challenging in some cases, but there is no alternative. Basically, we need to handle data like money. We hardly ever make any mistakes now.

7. What is the impact of ‘New Work’ and working models such as home working on compliance and data protection?

Generally speaking, the conditions under which data is processed should not matter. Protection must always be guaranteed. But the fact is that new ways of working have a different risk profile compared to conventional, office-based work. This risk profile requires different measures. For instance, it may be necessary to impose technical restrictions on or even prevent the processing of certain data in less trusted countries.

8. What is the significance for Swisscom of the new Swiss Data Protection Act, which comes into force on 1 September 2023?

We established a comprehensive schedule for the implementation of the new Data Protection Act two years ago, and we will be ready on 1 September 2023. However, no large-scale amendments to our management system are needed, as there was already an effective data protection law in place. Moreover, in some areas, Swisscom is subject to the EU’s General Data Protection Regulation (GDPR) and there are also many requirements that arise from our contracts. However, the overhaul of the act provides a good opportunity for us to review our management system and to improve it where necessary.

Would you like to find out more?