Data Protection Switzerland: nDSG Implementation for SMEs

There is a persistent myth that small companies are exempt from the nDSG. No such exemption exists.

Since September 1, 2023, the new Data Protection Act (nDSG, officially “revDSG” - revised Federal Act on Data Protection) has been in force in Switzerland. For Swiss SMEs, this means concrete obligations regarding the protection of personal data. Unlike previous data protection regulations, the nDSG brings significantly stricter requirements, including notification obligations for data breaches, documented processing registers, and explicit requirements for data security measures.

This guide provides Swiss SMEs with a practical roadmap for implementing nDSG requirements. We explain what needs to be done, how to prioritise measures, what costs to expect, and how to avoid common mistakes.

Important: This guide provides practical orientation but is not legal advice. For individual questions or complex data processing, consult a specialised lawyer for data protection law.

Why nDSG Implementation is Mandatory, Not Optional

The nDSG applies to all companies processing personal data of individuals in Switzerland. There are no size thresholds, no industry exceptions, no grace periods. Whether you’re a 2-person startup or a 200-employee company, you must comply.

Personal Liability

Art. 60-62 nDSG introduce criminal penalties for individuals (not companies) who intentionally violate specific obligations. Fines up to CHF 250,000 can be imposed on:

  • Managing directors
  • Board members
  • Data protection officers
  • IT managers
  • Anyone responsible for data processing

This is new: Previously, companies were liable; now, individuals face personal criminal liability.

Reputational Risk

Data breaches are public. When you must notify the Federal Data Protection and Information Commissioner (FDPIC) about a breach, this information can become public. Customers, partners, and media will know. The reputational damage often exceeds legal fines.

Competitive Disadvantage

Increasingly, business customers (especially in B2B) require data protection compliance. Without documented nDSG compliance:

  • You lose tenders and RFPs
  • Large clients won’t work with you
  • You can’t process customer data for clients
  • International business becomes difficult (especially EU)

The nDSG Core Obligations for SMEs

1. Data Security (Art. 8 nDSG)

Obligation: Implement appropriate technical and organisational measures to protect personal data from unauthorised processing, accidental loss, destruction, or damage.

What “appropriate” means:

“Appropriate” is context-dependent and considers:

  • Sensitivity of data: Health data requires more protection than newsletter emails
  • Scope of processing: Processing 100,000 records requires more than processing 100
  • State of technology: What is technically feasible and common today?
  • Costs: Measures must be proportionate, but cost is not an excuse for inaction
  • Risk level: Higher risk requires stronger measures

Minimum technical measures:

  1. Access control:
  • Strong passwords (min. 12 characters, complexity)
  • Multi-factor authentication (MFA) for systems with personal data
  • Role-based access (principle of least privilege)
  • Regular review of access rights
  • Immediate revocation when employees leave
  1. Encryption:
  • Encryption at rest (databases, backups, file servers)
  • Encryption in transit (HTTPS, TLS, VPN)
  • Full disk encryption for laptops and mobile devices
  • Encrypted email for sensitive data
  1. Backup and recovery:
  • Regular backups (daily for critical data)
  • Offline or immutable backups (ransomware protection)
  • Regular recovery tests (quarterly)
  • Documented backup policy
  1. Updates and patches:
  • Regular security updates (monthly, critical patches immediately)
  • No end-of-life software
  • Documented patch management process
  1. Network security:
  • Firewalls (perimeter and internal segmentation)
  • Antivirus/endpoint protection
  • Intrusion detection/prevention where appropriate
  • Secure Wi-Fi (WPA3 or WPA2, strong passwords)
  1. Logging and monitoring:
  • System logs for access, changes, errors
  • Log retention (minimum 6 months)
  • Monitoring for anomalies
  • Incident response capability

To verify that these technical measures actually hold up under real-world conditions, periodic penetration testing is strongly recommended. Providers such as RedTeam Partners can assess whether your data security controls meet the “appropriate measures” threshold the nDSG demands.

Minimum organisational measures:

  1. Policies and guidelines:
  • Data protection policy
  • Information security policy
  • Password policy
  • Acceptable use policy
  • Remote work policy
  • Data breach response plan
  1. Employee management:
  • Confidentiality agreements
  • Data protection training (annual)
  • Clear responsibilities
  • Exit procedures
  1. Vendor management:
  • Data processing agreements (DPAs) with all processors
  • Vendor assessment (security, compliance)
  • Regular audits
  1. Documentation:
  • Register of processing activities
  • Data protection impact assessments (where required)
  • Incident log
  • Training records

Cost estimate (Small SME, 10-20 employees):

  • Initial technical setup: CHF 2,000-8,000
  • Annual software/licences: CHF 1,000-3,000
  • Training: CHF 500-1,500/year
  • External consulting (optional): CHF 2,000-8,000 initially

2. Information Obligation (Art. 19 nDSG)

Obligation: Inform data subjects transparently when collecting personal data.

Minimum information required:

  • Identity of controller (your company)
  • Purpose of data processing (why are you collecting this data?)
  • Categories of personal data (what data?)
  • Recipients or categories of recipients (who gets the data?)
  • Retention period (how long kept?)
  • Rights of data subjects (access, correction, deletion, etc.)
  • Data transfers abroad (if any, to which countries)
  • Legal basis (consent, contract, legitimate interest, legal obligation)

Where to provide information:

  • Privacy policy: Thorough document on website, linked from footer
  • Privacy notices: Point-of-collection notices (forms, signup, checkout)
  • Consent mechanisms: Cookie banners, newsletter checkboxes, marketing consent

Practical implementation:

  1. Privacy policy:
  • Create thorough document covering all processing activities
  • Use clear, understandable language (avoid legal jargon)
  • Update when processing changes
  • Make easily accessible (max. 2 clicks from any page)
  • Tools: Privacy generators (SwissAnwalt.ch, Datenschutzpartner.ch) for basic needs, lawyer for complex cases
  1. Point-of-collection notices:
  • At contact forms: “Your data will be processed for [purpose]. See [Privacy Policy].”
  • At newsletter signup: Clear description, link to privacy policy, double opt-in
  • At checkout: Information about payment processing, order fulfilment
  • In apps: Privacy notice before first data collection
  1. Consent mechanisms:
  • Cookie banners for non-essential cookies (analytics, marketing)
  • Opt-in, not opt-out (users must actively consent)
  • Granular choices (not just “accept all”)
  • Document consent (who, what, when)

Cost estimate:

  • Privacy policy (DIY with generator): CHF 0-500
  • Privacy policy (lawyer, tailored): CHF 1,500-4,000
  • Cookie banner tool: CHF 0-600/year
  • Implementation (developer): CHF 500-2,000

3. Register of Processing Activities (Art. 12 nDSG)

Obligation: Maintain internal documentation of all personal data processing activities.

Who needs a register?

All companies with 250 or more employees must maintain a public register. Smaller companies (under 250 employees) must maintain an internal register if:

  • Processing involves high risk to data subjects
  • Processing of sensitive personal data on a large scale
  • Systematic profiling

Practical reality: Even if not legally required, maintaining an internal register is strongly recommended for all SMEs. It’s the foundation for compliance, helps identify risks, and demonstrates good faith in case of FDPIC inquiry.

Minimum content per processing activity:

  1. Purpose: Why are you processing this data?
  2. Categories of data subjects: Customers, employees, suppliers, website visitors?
  3. Categories of personal data: Names, emails, addresses, financial data, etc.
  4. Recipients: Who receives this data? (Internal departments, external processors, third parties)
  5. Data transfers abroad: To which countries? With what safeguards?
  6. Retention period: How long is data kept?
  7. Security measures: General description of technical and organisational measures
  8. Legal basis: Consent, contract, legitimate interest, legal obligation

Tools:

  • Excel/spreadsheet (simple, free)
  • Specialised software (DataGuard, OneTrust, Usercentrics - CHF 1,000-5,000/year)
  • Lawyer/consultant can create template

Example entry:

Processing ActivityCustomer CRM
PurposeCustomer relationship management, sales follow-up, support
Data SubjectsCustomers, prospects
Personal DataName, company, email, phone, address, interaction history, purchase history
RecipientsSales team, support team, CRM vendor (Salesforce)
Data Transfers AbroadUSA (Salesforce), safeguarded by Standard Contractual Clauses
Retention Period10 years after last contact (contractual + tax law retention)
Security MeasuresAccess control (MFA), encryption at rest/transit, role-based access, audit logs
Legal BasisLegitimate interest (customer relationship), contract (purchase orders)

Cost estimate:

  • Internal (DIY with template): CHF 500-2,000 (staff time)
  • External consultant: CHF 2,000-8,000
  • Software solution: CHF 1,000-5,000/year

4. Data Breach Notification (Art. 24 nDSG)

Obligation: Notify FDPIC “as soon as possible” when a data breach likely poses a high risk to affected individuals.

What is a data breach?

A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Examples:

  • Ransomware attack with data exfiltration
  • Unencrypted laptop stolen with customer data
  • Misconfigured database publicly accessible on internet
  • Employee accidentally emails customer list to wrong recipient
  • Hacker gains unauthorised access to systems

When is notification required?

Only when the breach likely poses a high risk to personality or fundamental rights of affected individuals.

High risk indicators:

  • Sensitive personal data: Health, religious beliefs, biometric data, criminal records, social welfare data
  • Large scale: Thousands of individuals affected
  • Identity theft potential: Combination of data allows identity theft (name + birthdate + address + financial data)
  • Financial harm potential: Bank accounts, credit cards, payment data
  • Reputational damage potential: Embarrassing or private information
  • No mitigation measures: Data was unencrypted, no safeguards

Low risk examples (likely no notification required):

  • Loss of encrypted laptop (strong encryption)
  • Exposure of email addresses only (no other data)
  • Small-scale breach affecting few individuals with non-sensitive data
  • Breach immediately contained before external access

How to notify:

  • To FDPIC: Online form on FDPIC website (www.edoeb.admin.ch)
  • Deadline: “As soon as possible” (no fixed 72-hour deadline like GDPR, but delay must be justified)
  • Content:
  • Description of breach (what happened, when, how)
  • Categories of data affected
  • Approximate number of affected individuals
  • Assessment of consequences and risks
  • Measures taken or planned to mitigate harm
  • Contact details of responsible person

Notification to data subjects:

If high risk, also inform affected individuals directly, unless:

  • Data was already encrypted or otherwise protected (risk eliminated)
  • Subsequent measures eliminated the risk
  • Informing would be disproportionately burdensome (then public announcement instead)

Sanctions for non-notification:

  • Criminal fine up to CHF 250,000 for intentional failure to notify
  • Reputational damage
  • Civil liability claims

Cost estimate (incident response):

  • Small incident (internal handling): CHF 2,000-8,000
  • Medium incident (external forensics): CHF 15,000-50,000
  • Major incident (forensics + legal + PR): CHF 50,000-300,000+

5. Data Processing Agreements (Art. 9 nDSG)

Obligation: Sign written data processing agreements (DPAs) with all external service providers who process personal data on your behalf.

Who is a data processor?

Any external service provider who processes personal data on your instructions. Examples:

  • Cloud hosting providers (AWS, Azure, Google Cloud, Infomaniak, Exoscale)
  • SaaS tools (CRM, email marketing, accounting software, HR systems)
  • IT support and managed service providers
  • Payroll service providers
  • Marketing agencies with access to customer data
  • Web developers with access to website/database
  • Backup and archiving services

What must a DPA contain?

  • Subject matter and duration: What data processing, how long
  • Nature and purpose: Why is processor processing data
  • Type of personal data: Categories of data
  • Categories of data subjects: Customers, employees, etc.
  • Obligations and rights of controller: Your instructions, audit rights
  • Processor obligations:
  • Process only on documented instructions
  • Ensure confidentiality of staff
  • Implement appropriate security measures
  • Assist with data subject rights
  • Assist with security incidents
  • Delete or return data after end of service
  • Make available information for audits
  • Sub-processors: List of sub-processors, controller approval required for changes
  • Data transfers abroad: Mechanisms (Standard Contractual Clauses, adequacy decision)
  • Liability and indemnification

Standard DPAs:

Many SaaS providers offer standard DPAs:

  • Microsoft: Customer agreement includes DPA
  • Google Workspace: Standard DPA available
  • Salesforce: Standard DPA available
  • Most major cloud/SaaS providers have nDSG/GDPR-compliant DPAs

For smaller providers:

If provider doesn’t offer DPA, you must create one. Templates available from:

  • FDPIC website
  • Swiss law firms (e.g., Swissanwalt.ch)
  • International templates (GDPR-compliant DPAs generally sufficient for nDSG)

Cost estimate:

  • Using provider standard DPA: CHF 0 (admin time only)
  • Creating custom DPA (lawyer): CHF 1,500-4,000
  • Reviewing provider DPA (lawyer): CHF 500-1,500

6. Privacy by Design and Privacy by Default

Obligation: Integrate data protection from the beginning of systems, processes, and projects (implicit requirement from Art. 7 nDSG).

Privacy by Design principles:

  1. Proactive, not reactive: Prevent privacy issues before they occur
  2. Privacy as default: Strongest privacy settings by default
  3. Privacy embedded into design: Built-in, not bolted-on
  4. Full functionality: Positive-sum, not zero-sum (privacy doesn’t reduce functionality)
  5. End-to-end security: Protect throughout entire lifecycle
  6. Visibility and transparency: Keep processing open and transparent
  7. Respect for user privacy: User-centric design

Practical implementation:

For new systems/software selection:

  • Checklist: Does solution offer encryption? Access controls? Audit logs? Data minimization features? User rights management (deletion, export)?
  • Prefer Swiss or EU providers (data sovereignty)
  • Require DPA before purchase
  • Evaluate security certifications (ISO 27001, SOC 2)

For new processes:

  • Data minimization: Collect only necessary data
  • Purpose limitation: Use data only for stated purpose
  • Automated deletion: Delete data after retention period automatically
  • Access restriction: Only authorised staff access personal data

For websites:

  • Cookie consent before tracking cookies set
  • Privacy-friendly alternatives (Matomo instead of Google Analytics, local font hosting)
  • SSL/TLS encryption
  • Contact forms with privacy notice
  • Double opt-in for newsletter
  • Easy unsubscribe

For development projects:

  • Conduct Data Protection Impact Assessment (DPIA) before launch
  • Implement data minimization in database design
  • Build user rights functionality (view, download, delete data)
  • Encrypt sensitive data fields
  • Audit logging for data access

Privacy by Default:

Ensure default settings provide maximum privacy:

  • Marketing opt-in requires active checkbox (not pre-selected)
  • Cookie banner: No cookies until consent given
  • User profiles: Minimal data required, optional fields clearly marked
  • Sharing settings: Private by default, sharing requires opt-in

Cost estimate:

  • Minimal if integrated from start (good design costs no more than bad design)
  • Expensive to retrofit: CHF 10,000-100,000+ for major system overhaul

7. Data Subject Rights (Art. 25-28 nDSG)

Obligation: Enable individuals to exercise their rights regarding their personal data.

The seven rights:

  1. Right to information (Art. 25): Right to know if and what personal data is processed about them
  2. Right of access (Art. 25): Right to obtain copy of personal data
  3. Right to rectification (Art. 32): Right to correct inaccurate data
  4. Right to erasure (Art. 32): Right to deletion (“right to be forgotten”)
  5. Right to restriction (Art. 32): Right to restrict processing in certain cases
  6. Right to data portability (Art. 28): Right to receive data in structured, machine-readable format and transmit to another controller
  7. Right to object (Art. 30): Right to object to processing based on legitimate interest

Implementation requirements:

1. Process to handle requests:

  • Designated contact point (email, form)
  • Identity verification process (prevent unauthorised access)
  • Response timeline (within 30 days, extendable to 60 days if complex)
  • Template responses for each type of request
  • Escalation process for complex requests

2. Technical capability:

  • Can you identify all data about a specific individual across all systems?
  • Can you export this data in readable format?
  • Can you delete this data completely (including backups)?
  • Can you provide data in machine-readable format (CSV, JSON)?

3. Documentation:

  • Log all requests received
  • Document actions taken
  • Track response times
  • Identify improvement areas

Common requests:

  • Access request: “What data do you have about me?” → Provide thorough list + copies
  • Deletion request: “Delete my account and all data” → Delete from all systems, confirm in writing
  • Correction request: “My email address is wrong” → Correct and confirm
  • Marketing opt-out: “Stop sending me emails” → Unsubscribe, confirm, keep suppression record

Exceptions to rights:

You can refuse or restrict rights when:

  • Legal or regulatory obligation requires retention (e.g., tax law, commercial law)
  • Exercising right would reveal third-party personal data
  • Request is manifestly unfounded or excessive (can charge reasonable fee or refuse)
  • Processing necessary for legal claims

Cost estimate:

  • Setting up process: CHF 1,000-5,000 (templates, procedures, training)
  • Per request handling: 1-8 hours staff time (simple to complex)
  • Technical implementation (data export functionality): CHF 2,000-15,000

Implementation Roadmap for SMEs

Phase 1: Assessment (Weeks 1-2)

Goal: Understand current state and identify gaps.

Actions:

  1. Data inventory:
  • List all personal data you process (customers, employees, suppliers, website visitors)
  • Where is it stored? (Which systems, databases, files, locations)
  • Who has access? (Internal staff, external processors)
  • How did you obtain it? (Forms, contracts, cookies, business cards)
  • Why do you process it? (Purpose for each type)
  1. System inventory:
  • List all systems processing personal data (CRM, email, HR, accounting, website, etc.)
  • For each: Location (on-premise/cloud/hybrid), provider, data types, access controls
  1. Processor inventory:
  • List all external service providers with access to personal data
  • For each: What they do, what data they access, where they are located, do you have a DPA?
  1. Gap analysis:
  • Compare current state against nDSG requirements
  • Identify missing measures (technical, organisational, documentation)
  • Prioritise by risk and legal obligation

Deliverable: Gap analysis report with prioritised action list

Cost: CHF 2,000-8,000 (internal time or external consultant)

Phase 2: Quick Wins (Weeks 3-4)

Goal: Implement low-hanging fruit with high compliance impact.

Priority actions:

  1. Privacy policy:
  • Create or update thorough privacy policy
  • Publish on website (footer link)
  • Update to reflect actual processing
  1. Cookie banner:
  • Implement if website uses non-essential cookies
  • Ensure opt-in mechanism (no cookies before consent)
  1. Contact forms:
  • Add privacy notice at each form
  • Ensure no pre-selected marketing consent checkboxes
  1. DPAs:
  • Identify all processors without DPA
  • Obtain standard DPAs from major providers
  • Sign immediately
  1. Access control:
  • Review who has access to systems with personal data
  • Revoke unnecessary access
  • Enable MFA where possible
  1. Incident response plan:
  • Draft basic plan (one-pager sufficient initially)
  • Designate responsible person
  • Define escalation path

Deliverable: Basic compliance established for highest-risk areas

Cost: CHF 2,000-10,000

Phase 3: Core Implementation (Weeks 5-12)

Goal: Implement thorough technical and organisational measures.

Actions:

  1. Technical security measures:
  • Full disk encryption on all devices
  • Regular backup implementation (with offline/immutable component)
  • Update management process
  • Network security hardening
  1. Organisational measures:
  • Draft and adopt data protection policies
  • Update employee contracts (confidentiality clauses)
  • Create authorisation matrix (who accesses what)
  • Implement data retention policy
  1. Register of processing activities:
  • Create thorough register
  • Document all processing activities
  • Internal review and approval
  1. Employee training:
  • Develop training materials or purchase training
  • Conduct initial training for all staff
  • Special training for staff handling personal data
  • Document training participation
  1. Data subject rights process:
  • Create request handling process
  • Draft response templates
  • Implement technical capability (data export, deletion)
  • Test with internal dry-run

Deliverable: Thorough nDSG compliance implemented

Cost: CHF 5,000-25,000 (depending on complexity and current state)

Phase 4: Advanced Measures (Weeks 13-20, optional)

Goal: Implement advanced measures for high-risk processing.

Actions:

  1. Data Protection Impact Assessment (DPIA):
  • Identify processing requiring DPIA (high risk, sensitive data, large scale, profiling)
  • Conduct DPIA for each
  • Implement additional mitigation measures
  • Document and review regularly
  1. Privacy by design integration:
  • Integrate into development/procurement processes
  • Create checklists and guidelines
  • Train relevant staff
  1. Advanced monitoring:
  • Implement logging and monitoring
  • Set up alerts for anomalies
  • Regular security audits
  1. External audit:
  • Engage external consultant for compliance audit
  • Identify remaining gaps
  • Implement recommendations

Deliverable: Best-practice compliance, audit-ready

Cost: CHF 10,000-50,000

Phase 5: Ongoing Compliance (Continuous)

Goal: Maintain compliance and continuous improvement.

Recurring activities:

Quarterly:

  • Review and update register of processing activities
  • Review access rights
  • Backup recovery test
  • Review processor compliance

Annually:

  • Update privacy policy if changes
  • Review and update policies
  • Employee training refresh
  • Security measures review
  • DPA renewals where needed
  • Management report on compliance status

Event-based:

  • New system/processor: DPA, register update, security assessment
  • New processing activity: Register update, privacy notice update, DPIA if needed
  • Data breach: Notification, investigation, remediation, lessons learned
  • Employee departure: Access revocation, equipment return
  • Employee onboarding: Training, confidentiality agreement
  • Law changes: Compliance review and adjustments

Cost: CHF 2,000-15,000/year (depending on size and complexity)

Common Mistakes to Avoid

Mistake 1: “We’re too small, nDSG doesn’t apply to us”

Reality: nDSG has no size thresholds. Even a 2-person company processing personal data must comply.

Consequence: Non-compliance discovered during FDPIC investigation or customer audit.

Solution: Start with basics regardless of size. Small companies can implement nDSG compliance in 2-4 weeks.

Mistake 2: “We’ll just copy-paste a privacy policy from the internet”

Reality: Generic privacy policies don’t reflect your actual processing and can be misleading (itself a violation).

Consequence: Privacy policy doesn’t match reality, FDPIC may consider this lack of transparency.

Solution: Start with template, but customise to your actual processing. Update when processing changes.

Mistake 3: “IT will handle data protection”

Reality: Data protection is a management responsibility, not just IT. IT implements technical measures, but strategy and accountability sit with management.

Consequence: Fragmented approach, gaps in organisational measures, personal liability for management.

Solution: Management defines strategy, assigns responsibilities, allocates resources. IT is one part of implementation.

Mistake 4: “No DPAs with processors, vendors say it’s not necessary”

Reality: DPAs are legally required (Art. 9 nDSG). Vendor’s claim doesn’t exempt you.

Consequence: You’re liable for processor’s failures. FDPIC may fine you for missing DPAs.

Solution: Obtain DPAs from all processors. If vendor refuses, find another vendor.

Mistake 5: “We’ll implement everything at once”

Reality: Thorough implementation takes time. Trying everything simultaneously leads to burnout and incomplete implementation.

Consequence: Overwhelming staff, half-finished measures, loss of momentum.

Solution: Phased approach. Start with high-priority items, build momentum, continuous improvement.

Mistake 6: “Once implemented, we’re done”

Reality: Compliance is continuous. Systems change, staff changes, processing changes, laws change.

Consequence: Compliance drifts over time, gaps emerge.

Solution: Establish ongoing activities (quarterly reviews, annual audits, event-based updates).

Mistake 7: “We don’t need to notify data breaches if we fix it quickly”

Reality: Notification is required even if you remediate quickly, if high risk existed.

Consequence: Criminal penalty up to CHF 250,000 for intentional non-notification.

Solution: Assess every incident for notification requirement. When in doubt, consult lawyer and notify FDPIC.

Cost-Benefit Analysis

Costs of Compliance

Small SME (5-20 employees):

  • Initial: CHF 5,000-15,000
  • Annual: CHF 2,000-6,000

Medium SME (20-100 employees):

  • Initial: CHF 15,000-40,000
  • Annual: CHF 5,000-15,000

Large SME (100-250 employees):

  • Initial: CHF 30,000-80,000
  • Annual: CHF 10,000-25,000

Costs of Non-Compliance

Legal costs:

  • FDPIC fines: CHF 0-250,000 per violation (intentional violations)
  • Civil liability: Variable, can exceed CHF 100,000 for significant breaches
  • Legal defence: CHF 10,000-100,000+

Operational costs:

  • Data breach remediation: CHF 15,000-500,000+ (forensics, notification, monitoring, PR)
  • Business interruption: Variable, depending on incident
  • Emergency compliance: CHF 20,000-100,000 (rushed implementation costs more)

Reputational costs:

  • Customer churn: 20-40% after major breach (industry studies)
  • Lost contracts: Inability to bid on contracts requiring compliance
  • Market value impact: Unquantifiable but significant

Opportunity costs:

  • Lost business opportunities (can’t work with EU customers, large enterprises)
  • Competitive disadvantage against compliant competitors

ROI calculation:

Even small breaches cost CHF 50,000-200,000 on average. Compliance investment of CHF 10,000-30,000 pays for itself if it prevents even one incident.

Tools and Resources

Official Resources

Federal Data Protection and Information Commissioner (FDPIC):

  • Website: www.edoeb.admin.ch
  • Guide for SMEs (PDF, free)
  • Data breach notification form
  • FAQs

Federal Office of Justice (FOJ):

  • Legal texts and commentary
  • Legislative materials

Privacy Policy Generators

Free/low-cost:

  • SwissAnwalt.ch privacy generator (CHF 0-500)
  • Datenschutzpartner.ch (CHF 0-300)
  • iubenda (international, CHF 27-149/year)

Professional:

  • Lawyer-drafted (CHF 1,500-4,000, fully customised)
  • Cookiebot (CHF 0-600/year, Swiss data storage option)
  • Usercentrics (CHF 0-1,500/year)
  • Complianz (WordPress plugin, CHF 0-230/year)
  • OneTrust (enterprise, CHF 5,000+/year)

DPA Templates

  • FDPIC website (free template)
  • Swiss law firms (many offer free templates)
  • Provider standard DPAs (check provider website)

Training

Online courses:

  • Swiss Data Protection Academy (CHF 300-1,500/person)
  • LinkedIn Learning (data protection courses)
  • ISACA Switzerland (professional training)

In-person training:

  • Various Swiss providers (CHF 500-2,000/day)
  • Customised in-house training (CHF 2,000-5,000)

Consulting

Small projects (gap analysis, basic implementation):

  • CHF 3,000-15,000

Thorough implementation:

  • CHF 15,000-80,000

External Data Protection Officer:

  • CHF 3,000-15,000/year (depending on scope)

Recommended consultants:

  • Look for lawyers specialised in data protection law
  • IT security firms with data protection expertise
  • Check FDPIC website for list of recognised consultants

Your nDSG Compliance Path Forward

nDSG compliance is mandatory for all Swiss SMEs processing personal data. While implementation requires investment of time and money (CHF 5,000-25,000 initially for typical SMEs), non-compliance poses significantly higher risks: fines up to CHF 250,000, personal criminal liability, reputational damage, and lost business opportunities.

The path forward:

  1. Assess your current state (2 weeks, CHF 2,000-8,000)
  2. Implement quick wins (2 weeks, CHF 2,000-10,000)
  3. Deploy core measures (8 weeks, CHF 5,000-25,000)
  4. Maintain ongoing compliance (CHF 2,000-15,000/year)

Start today. Data protection compliance is not a one-time project but a continuous commitment to protecting personal data and maintaining trust.

Next steps:

  • Download FDPIC’s SME guide
  • Conduct internal data inventory
  • Identify your highest-risk areas
  • Engage consultant if needed
  • Create implementation plan with timeline and budget
  • Start with quick wins to build momentum

Data protection is not just legal compliance; it is a competitive advantage and a demonstration of respect for your customers, employees, and partners.

Transparency Note: This article was created with the support of AI technology and reviewed, supplemented, and finalised by the Alpine Excellence editorial team. All content meets Alpine Excellence editorial standards.