Implementation of the EU General Data Protection Regulation at Arjo AG Switzerland
The new European Union General Data Protection Regulation (GDPR) went into effect on May 28th, 2018. Experts view the GDPR as a victory for human rights, as it returns control of personal data back to the individuals.
Consumers welcome the new data protection rights and some businesses see the new regulation as an opportunity to gain a competitive advantage if implemented correctly and transparently. The introduction of the GDPR also prompted the Swiss legislation to reevaluate and revise their existing Federal Act on Data Protection (FADP).
Hermann Grieder, 2018
Bachelor Thesis, Arjo AG
Betreuende Dozierende: Frank Grimberg
Keywords: General Data Protection Regulation, GDPR, Swiss Federal Act on Data Protection, FADP, implementation, data rights, right to data access, right to data rectification, right to data erasure, right of data portability, Privacy by Design, Privacy by Default, compliance
The enactment of the GDPR affected the international Arjo corporation based in Malmö, Sweden, a global supplier of medical devices and solutions that improve quality of life for people with reduced mobility and age-related health challenges. With over 5500 employees globally in over 100 countries Arjo generates an annual revenue of EUR 750 Mio.
Even though Switzerland is not part of the EU, Arjo Switzerland as part of the Arjo corporation has to comply with the EU GDPR. From the developments, the introduction of the GDPR and the pending revision of a new Swiss data protection regulation, Arjo Switzerland needs to know how a Swiss based company can become compliant with GDPR and how to prepare for the pending changes in the Swiss data protection law, expected to go into effect in early 2019.
In a first step literature research and review was used to gain an understanding of the GDPR. Then, to identify and log the processes handling personal data at Arjo Switzerland, employee interviews and job observations were conducted. During the project duration, the instruction and changes from the Arjo Corporation in Sweden and the project lead in the UK where implemented. For the comparison between the GDPR and the pre-draft of the Swiss Federal Act on Data Protection (FADP) literature research of the draft, expert reports and speeches of the Swiss Federal Council members where analyzed and summarized.
Through this project internal processes that handle personal data at Arjo Switzerland have been identified and logged. Arjo knows the gaps that exist between these current processes and the GDPR. Arjo received a detailed list of recommendations for how to mitigate the gaps identified. Further Arjo is informed about the general concepts and principles of the GDPR and understands the importance of compliance and the consequences of non-compliance with the new regulation. Finally, Arjo was provided with a comparison between the GDPR and the pre-draft of the FADP in order to be able to prepare for possible necessary adjustments and changes to their processes. The preliminary findings of this comparison show that GDPR compliant companies would also be FADP compliant.
Studiengang: Business Information Technology (Bachelor)
Fachbereich der Arbeit: Business Information System & IT-Management