TLDR: The nFADP has been in force since September 2023, and many Swiss SMEs still have gaps. The good news: if you have a solid IT foundation, you are already closer than you think. The first step is simple. Find out which personal data you process at all and where it is located.

Yes, data protection is tedious. Still.

If you opened this article, the trigger was probably not spontaneous enthusiasm for legal texts. More likely, someone asked the question. The CEO, the board of directors, a customer. Whether you have already implemented “the new data protection law.” And the honest answer was somewhere between “partly” and an uncertain shrug.

That is okay. Really. The nFADP has been in force since September 2023, but the implementation reality among Swiss SMEs is mixed. Some have cleaned things up systematically. Many created a to-do list that has remained unchanged ever since. And some still do not know exactly what has actually changed.

This article is for all three groups. We will go through, step by step, what the nFADP means in concrete terms, where it differs from the GDPR, and what you can realistically do. No legalese, no fearmongering.

What has actually changed?

The nFADP replaces the old Data Protection Act from 1992. Yes, 1992. Back then, “data” mainly meant physical files, and the internet was only just emerging. Accordingly, protection for everything digital was full of gaps.

Switzerland had two reasons for the revision. First, it wanted to retain its status as a third country with an adequate level of data protection vis-à-vis the EU. Without this status, data transfers between Swiss and EU companies become significantly more complicated. Second, digitalization had simply overtaken the old law.

What the nFADP is not: a clone of the GDPR. If you are already compliant in the EU, you have done a lot, but not everything. And if you only operate in Switzerland and dismissed the GDPR as an “EU problem,” the nFADP says: Welcome to the present.

One detail that is often overlooked: the nFADP protects only natural persons, not legal entities. The old Swiss DPA also protected company data. This gap now has to be closed in other ways, for example contractually.

The three things that directly affect your IT

Here we focus on what you, as an IT manager or managing director, really need to know. Not legally exhaustive—there are lawyers for that.

Notification obligation for data breaches. This is the new feature with the greatest operational impact. In the event of a data breach—i.e., data loss, unauthorized access, or ransomware with data exfiltration—you must report it to the FDPIC. And “as quickly as possible.” In practice, people orient themselves to 72 hours as under the GDPR, but there is no rigid deadline. The reporting obligation applies only if the breach is likely to result in a high risk for the affected individuals. Internal mis-sending of a newsletter without sensitive data? Probably not a reportable case. Ransomware with exfiltration of health data? Clearly reportable.

In concrete terms, this means: you need a process. Not a 50-page manual, but you must know who decides whether a breach is reportable, who reports it, and what is reported. (We have a separate article on incident response readiness if you want to dive deeper.)

Privacy by Design and Privacy by Default. If you introduce a new application, buy a CRM, or set up an HR tool, data protection must be considered from the very beginning. Not as an afterthought. And the most privacy-friendly settings must be the default settings. In practice, we often see this as a problem: a new SaaS tool is introduced quickly and pragmatically, and nobody asks what data the tool sends home or where the provider processes the data.

Record of processing activities. It sounds bureaucratic, but it is less so than you might think. At its core, it means: document what data you process, for what purpose, on what legal basis, and who has access. For companies with fewer than 250 employees, there are simplifications, as long as there is no extensive processing of particularly sensitive data. But be careful: as soon as you regularly process health data, biometric data, or data on religious views, you are fully obligated even as an SME with 30 people.

Where nFADP and GDPR really differ

This is the question we hear most often. Especially from companies that already have GDPR processes, often because they serve EU customers or have a parent company in the EU.

The short version: anyone who has seriously implemented GDPR is 70–80% of the way toward nFADP compliance. But not quite there.

The biggest difference lies in the sanctions system. GDPR relies on corporate fines, up to 4% of global annual turnover. The nFADP takes a different route: here, individuals are sanctioned. Managing directors, IT managers, and data protection officers can be fined up to CHF 250,000. This is a psychological difference that explains why the topic is suddenly being taken more seriously at management level.

Other differences: the nFADP does not prescribe a mandatory data protection officer (the GDPR does in many cases). For “high-risk processing,” the nFADP requires a data protection impact assessment, similar to the GDPR’s DPIA. And the nFADP also applies extraterritorially. If you are based in Zurich and have EU customers, you need to know both laws. This is more common among Swiss SMEs than one might think.

The honest assessment: if you relied only on GDPR compliance and thought Switzerland was covered as a result, you miscalculated. Especially regarding the sanctions system.

Where data protection and IT security converge

The nFADP requires “appropriate technical and organizational measures” to protect personal data. In practice, this means: encryption, access controls, logging, backup concepts, patch management. In other words, everything that should already be covered under a solid ISMS.

This is no coincidence. Regulatory requirements such as nFADP, GDPR, NIS2, and ISO 27001 overlap heavily. A company that has built a pragmatic ISMS has usually already laid the technical foundations for nFADP compliance. (We have covered the ISMS topic in more detail if you are still at the beginning.)

That is why our compliance approach is not an isolated data protection project. When you start closing nFADP gaps, it is worth checking at the same time what other requirements you have. NIS2, if you are critical infrastructure. FINMA, if you operate in the financial sector. Integrating multiple compliance frameworks significantly reduces effort in our experience, because many requirements are identical.

What you can do this week

Take an hour and create a simple inventory: which systems in your company process personal data? CRM, HR software, file server, cloud services, the old Excel sheet from 2015. Write down what data is stored there and who has access. Not a perfect document—just an honest status assessment.

This is the step where most people fail. Not because it is hard, but because it is never prioritized. And without this inventory, everything else—the data breach process, contracts with third-party providers, the updated privacy policy—is patchwork without a foundation.

The nFADP does not have to paralyze your company. Those who proceed systematically often find that much is already in place. What is usually missing is documentation and process clarity, not technical infrastructure.

If you want to tackle this first step in a structured way, we can do it together. We help Swiss SMEs and mid-market companies implement compliance pragmatically. Without consulting overkill, but with the result that you know where you stand afterward. You can find more about our compliance approach here.