Livre Blanc EN

GDPR & nFADP Guide for Pros Download for free   GDPR & Swiss nLPD Compliance for SME IT Infrastructures   WHY IT MATTERS   Swiss SMEs must comply with both the EU GDPR and the Swiss Federal Act on Data Protection (nLPD).  These laws apply to all organisations processing personal data, regardless of size. Non-compliance risks  fines (up to €20M under GDPR, CHF 250k under nLPD) and reputational damage.  KEY LEGAL PRINCIPLES   Principle  Description  Data Minimisation  Security & Confidentiality Accountability  Lawfulness & Transparency Inform users clearly about data use and obtain valid consent. Collect only what’s necessary.  Protect data with encryption, access controls, and breach response plans. Keep records, assign responsibility, and train staff.    I T COMPLIANCE CHECKLIST   Step  Action  Owner  Assign Responsibility  Map Data & Risks  Legal Basis & Consent  Update Policies  Implement Security Measures Retention & Minimisation Manage Vendors  Enable Rights Requests  Train Staff  Breach Response Plan  Appoint a privacy lead or DPO.  Management IT + Privacy  Legal + IT  Legal  IT Security  IT + Legal  Procurement   HR + IT  IT + Privacy Audit data flows and assess gaps.  Justify each data use (consent, contract, etc.).  Publish privacy notice and internal guidelines.  Encrypt data, enforce MFA, monitor systems.  Delete unnecessary data, set retention rules.  Sign Data Processing Agreements (DPAs).  Allow users to access, correct, or delete their data. IT + Support Educate employees on privacy and security.  Prepare and test incident response procedures.      TECHNICAL MUST – HAVES   Encryption: For data at rest and in transit. Access Control: Role-based permissions, MFA. • Retention Policies: Automate deletion of outdated data. • Monitoring: Detect and respond to breaches swiftly. SWISS VS EU DIFFERENCES   Swiss law protects individuals only, not companies. • Breach notification must be done ASAP, not within 72h. • Fines target individuals, not just companies. • Legal basis is flexible, but must not infringe privacy.   RGDP Guide for the Professionals   A GDPR Compliance Guide for IT Infrastructures in Swiss SMEs (including Swiss nLPD) Overview: GDPR and Swiss nLPD in a Nutshell   GDPR (General Data Protection Regulation) – An EU-wide privacy regulation effective since 2018, setting  strict rules on how organisations handle personal data. GDPR has extraterritorial reach: it applies to  companies outside the EU (including Swiss SMEs) if they offer goods/services to EU residents or monitor  their behaviour online. GDPR mandates principles like lawfulness, transparency, data minimisation,  purpose limitation, accuracy, storage limitation, integrity/confidentiality, and accountability (Article 5  GDPR). It introduced obligations such as data protection by design and by default, mandatory breach  notifications within 72 hours, and substantial fines for non-compliance (up to €20 million or 4% of global  turnover). For IT infrastructure, GDPR translates to ensuring that systems and processes protect personal  data at all stages – from collection and storage to transfer and deletion  Swiss nLPD (new Federal Act on Data Protection, 2023) – Switzerland’s updated data protection law (in  force since 1 September 2023) aligns closely with GDPR’s principles to maintain EU adequacy. The nLPD  (revised FADP) strengthens individuals’ rights and introduces Privacy by Design and Default into Swiss law.  Key points: it applies to personal data of natural persons (the new law, unlike the old one, no longer  protects data on legal entities). Swiss SMEs handling personal data must comply with nLPD requirements  even if they are not under GDPR scope. Notably, nLPD requires maintaining a record of processing  activities (with some exemptions for low-risk SMEs) and “prompt” breach notification to the regulator.  However, there are some differences from GDPR (detailed later): for example, fines under nLPD are capped  at CHF 250,000 and typically target responsible individuals, and breach reports must be made “as soon as  possible” rather than within a fixed 72-hour window.   Overlap and Importance: Both GDPR and nLPD seek to protect personal data and give individuals control  over their information. For a Swiss SME’s IT department, this means building a compliant IT infrastructure that meets both sets of requirements. Fortunately, a company that is GDPR-compliant will meet most  nLPD obligations, as the Swiss law was designed to be compatible. The following sections outline the core  compliance requirements and practical steps for IT teams, and highlight where GDPR and nLPD converge  or diverge.     Key Compliance Requirements for IT in SMEs   Lawful and Transparent Data Processing   Every personal data processing activity must have a lawful basis and be transparent to the individual.  GDPR defines six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate  interests) for processing (Article 6 GDPR). Swiss nLPD similarly requires justification for data processing.  Action for SMEs: Document all categories of personal data your IT systems collect and process (customer  data, employee data, etc.), and note the legal basis for each. Provide clear privacy notices to users  explaining what data is collected and why (transparency). Avoid collecting data you don’t need (data  minimisation) and only use it for the stated purposes. For instance, if an SME’s website tracks user  behaviour with analytics, GDPR likely requires user consent or another valid basis for that tracking. Both  laws also enshrine individuals’ rights (access, correction, deletion, data portability, etc.), so IT systems  should be prepared to fulfil data subject requests – e.g. allowing extraction or deletion of a user’s data  upon request.   Data Storage and Retention   Personal data should be stored securely and not retained longer than necessary. Under the GDPR’s  “storage limitation” principle, data must be deleted or anonymised once it’s no longer needed for the  purpose collected. Swiss nLPD similarly expects you not to keep personal data indefinitely without reason.  Action for SMEs: Implement retention policies in IT systems – e.g. automatically delete or archive data  after a certain period if it’s not needed. For example, logs containing personal data might be purged after  X months. Ensure that backups and archives are also covered by these retention limits (so old personal  data doesn’t live forever in backup files). If your SME uses cloud services or data centers abroad, confirm  that international storage complies with GDPR/nLPD transfer rules – i.e. either the country has an  adequacy

The Cybersecurity Survival Guide for Protecting Your Business Download for free Why a Book on Cybersecurity?   To no one’s surprise, what you’re holding in your hand (or reading on your screen) is  a book on cybersecurity.  But why does the world need another book on a topic that has been turned upside  down and inside out so many times?  Because many business owners still see cybersecurity as a big, scary word they  would do anything to avoid. For many, it creates that same stomach-crunching,  heart-in-your-throat feeling they get when they’re about to visit their dentist.  That feeling often stems from the unknown and from years of fearmongering. So,  cybersecurity remains somewhat of a fringe topic, often pushed aside for “better”  subjects like sales, marketing, and operations.  After all, no one wants to contemplate the horror scenarios their business or even  their lives could face, especially when they could be focusing on how to grow their  business instead.  The bad part about this is that fear can lead to “technostress” and apathy. If a  problem seems too overwhelming or complex, business owners tend to feel  helpless and disengage completely, ironically making them more vulnerable to  those very threats they fear.  With that in mind, I promise you this book is not meant to create manufactured  urgency or use fearmongering as a tactic to compel you to invest in cybersecurity.  The goal of this book is to demystify cybersecurity, make it digestible, and, at the  risk of pushing it too far, maybe even exciting.  It aims to give you the confidence that you can implement cybersecurity in your  business without being an expert, providing you with knowledge of how  cybersecurity works and how simple it can be if you follow a framework.  Simply put, you’re about to dive into how to keep your business secure and  protected from those pesky hackers.  Now, I can’t promise that just reading this and putting it into practice will make your  business totally unbreachable, as that’s just not realistic. But it will make your  defenses a whole lot stronger!  The truth is, there’s no such thing as a 100% secure business or organization. If an  IT provider tells you that, they’re probably not being completely straight with you.  Even big governments, with all their fancy resources, can get hit by sophisticated  attacks. © Copyrights AWSMTECH (Switzerland) LTD – November 2025  That being said, you will be able to protect your business against most threats out  there. You might even be surprised to hear that a huge chunk, 80-90% of breaches,  comes from incredibly simple, often overlooked things.  The good news about this is that it also means it’s straightforward to put effective  safeguards in place.  And as we go further, you’ll see that a big part of cybersecurity is just about building  new, consistent habits. Easy, actionable steps that you and your team can add to  your everyday routines.  Take this book one step at a time.  Don’t feel like you need to implement everything at once. Instead, just pick one or  two practical things from each chapter that you can start doing right away. The  main goal here is to make incremental progress, rather than stressing about being  perfect overnight.  We’ll kick things off by getting a good handle on the basics, and from there, we’ll  walk through the most important habits for keeping both your people and your  valuable data safe and sound.  So, grab a coffee (or whatever your favorite beverage is), and let’s get started on  building a more secure future for your business together!  Regards,  Andrea C. Nuti  Co-founder   © Copyrights AWSMTECH (Switzerland) LTD – November 2025  PART I  The What & The Why  What Cybersecurity Is  I want to start this chapter by clarifying what cybersecurity is NOT. Tech experts  often make simple subjects complicated, and that’s exactly what I aim to avoid in  this book.  For the average business owner, cybersecurity is not an overwhelmingly complex  subject. While it’s true that cybersecurity can become complex for Fortune 500  companies, government agencies, or scientific laboratories, it’s a different story if  your company isn’t dealing in highly sensitive data or operating in critical  infrastructure sectors. For most small to medium-sized businesses, the  fundamentals are straightforward and manageable.  Cybersecurity isn’t a product you buy. It’s a collection of smart business habits to  manage digital risk. Essentially, cybersecurity is how we reduce the likelihood and  impact of events that could misuse, disrupt, or expose valuable data and systems.  It’s simply risk management for the digital parts of your company.  And cybersecurity does not discriminate. Many owners think they’re too small to  be a target. That’s a dangerously outdated assumption. Most hackers aren’t master  criminals looking to take down a government. They’re running a business based on  volume, using automated software to scan the entire internet for easy openings.  Your size doesn’t make you invisible; it can make you an easier target because  hackers assume you have weaker defenses. This is why 43% of all cyberattacks are  aimed at small businessesi, and a shocking 60% of them shut down within six  months of a major attackii.  But here’s the most important part: Many of these attacks aren’t sophisticated,  high-tech assaults. They prey on simple, overlooked things. The latest data shows  that between 60% and 95% of all breaches involve a non-malicious human  elementiii, like an employee accidentally clicking a bad link or being tricked by a  convincing email. This means that straightforward, effective safeguards are  completely within your reach. The power to protect your business is in your hands,  and it doesn’t require a million-dollar budget.  So, how do you protect against these common threats? You just need a simple way  to think about it. Everything in cybersecurity really comes down to three core  pillars: © Copyrights AWSMTECH (Switzerland) LTD – November 2025  The first is Identity. This is all about who has the keys to your business—your  people, their accounts, and the devices they use. If your habits here are sloppy, like 

Compliance Checklist for Swiss SMEs Download for free Below is a checklist of key steps and practices to help ensure GDPR and nLPD compliance, summarising the discussions above. SMEs can use this as a reference to review their IT and data protection readiness. Each step bellow corresponds to an essential aspect of GDPR/nFADP compliance. By following this checklist, SMEs can systematically address their obligations: • Steps 1–3 set the foundation (responsibility, awareness, and transparency).• Steps 4–5 focus on security and data management within IT operations.• Step 6 covers vendor compliance, an often-overlooked area.• Step 7 readies the organisation for the worst-case scenario of a breach.• Step 8 ensures individual rights can be respected in practice.• Steps 9–10 emphasise the human factor and continuous nature of compliance. Finally, always refer back to authoritative resources for guidance. The official texts – GDPR (EU Regulation 2016/679) and the Swiss nFADP – are primary references (the Swiss FDPIC’s website provides detailed summaries of the new law’s provisions). Regulatory authorities like the European Data Protection Board and national bodies (e.g. the UK ICO or FDPIC) publish guides and FAQs which can be very helpful for SMEs. By staying informed through these sources and following the strategies in this guide, IT professionals and SME managers can confidently steer their organisations toward full compliance with both GDPR and nLPD, thereby protecting their clients’ data and their own business success.