nFADP for SMEs: the practical guide to data protection
Since 1 September 2023 the revised Swiss Federal Act on Data Protection (nFADP) applies to every company, even the smallest. No panic and no legalese: what it really asks of an SME and how to get compliant without turning it into an endless project.
"I'm so small, privacy doesn't apply to me." It's the sentence we hear most often, and it's also the most wrong. Since 1 September 2023 the revised Swiss Federal Act on Data Protection (nFADP) applies to anyone who processes personal data: customers, employees, suppliers. Size has nothing to do with it. The good news is that, for an SME, getting compliant is far simpler than the word "law" might lead you to fear.
Let's look, in a practical way and without legalese, at what the nFADP really asks of a small business and where to start.
What the nFADP is, in two lines
The nFADP is the complete revision of the Federal Act on Data Protection, which came into force on 1 September 2023. It strengthens individuals' rights over their own data and brings Switzerland closer to the European GDPR standards, so that Swiss companies can keep exchanging data with the European Union without obstacles. In essence it asks for one thing that's simple to say and demanding to do: know which data you process, why, and protect it sensibly.
Who it applies to (your small business too)
It applies to anyone, company or person, who processes personal data in Switzerland. And "processing data" is something you do every day without thinking about it: you keep the customer list, run payroll, collect emails from a form, archive contracts. All of this is the processing of personal data. There's no threshold of employees or revenue below which the law "doesn't apply": some formal obligations change, the principle doesn't.
What it really asks of you (the practical obligations)
- Inform transparently. People must know which data you collect and for what purposes. You do this with a clear privacy notice, accessible from your website.
- Process only what you need. Collect the data necessary for the purpose, not "everything just in case". The less data you keep, the less risk you run.
- Ensure security. Adequate measures against unauthorised access and loss: controlled access, backups, attention to where the data lives.
- Respect rights. People can ask you for access to, rectification or erasure of their data: you must be able to respond.
- Notify breaches. In the event of a breach that entails a high risk, the FDPIC (the Swiss authority) must be informed as soon as possible.
- Privacy by design and contracts. Think about data protection from the very start of your processes, and govern by contract the suppliers who process data on your behalf (hosting, business software, cloud tools).
nFADP and GDPR: the differences that matter
In their principles, the nFADP and the GDPR are very similar: whoever is already compliant with one is almost compliant with the other. But for a Swiss SME some differences are useful to know:
- Penalties target the responsible individuals, with criminal fines of up to CHF 250,000, not the company with administrative fines as under the GDPR.
- There is generally no obligation to appoint a data protection officer (DPO).
- Businesses with fewer than 250 employees and low-risk processing are exempt from the record of processing activities (but keeping a simple one remains a good idea).
- Breaches must be notified "as soon as possible", not within the 72 hours required by the GDPR.
If you're short on time, start here: (1) publish a clear privacy notice on your site, (2) know where your data is and who accesses it, (3) secure the essentials (access, backups, tools chosen sensibly). With these three points you cover most of the real risk.
And if I use AI? ChatGPT, Copilot and data
This is where many SMEs stumble. Using an artificial-intelligence tool means processing data: if you paste your customer list or a contract into ChatGPT, that data leaves your perimeter. The nFADP doesn't ban AI, but it asks you to know what you enter and where it ends up. The practical rule: no personal or confidential data in consumer versions, use plans or configurations with adequate protection, and give your team clear rules. We covered this in Shadow AI: your employees are already using ChatGPT with customer data and, on choosing the tool, in Microsoft Copilot vs ChatGPT for businesses.
Where to start: 3 concrete steps
You don't need a big-company project. Three steps are enough, in order.
- Map the data. Make a simple list: which data you collect, where it is (business software, email, spreadsheets, cloud) and who accesses it. It's the basis of everything.
- Publish a notice. A clear privacy policy on the site, written in plain language, stating what you process and what rights people have.
- Secure it and set the rules. The right access, backups, tools chosen sensibly and rules of use for the team (including the use of AI).
Once you've taken these three steps, you're ahead of most small businesses, and compliant with the substance of the nFADP.
In short
The nFADP is neither a threat to fear nor a technicality to ignore: it's a request for digital common sense that applies to every business, including yours. Knowing which data you process, saying so transparently and protecting it sensibly is what the law asks for and also, quite simply, a serious way of working. And often digitalising well, putting your data in order, is exactly what brings you into compliance almost without noticing.
This article is for information purposes only and does not constitute legal advice. For specific cases, consult a legal advisor or the competent authority (FDPIC).
Putting your data in order is the first step to being compliant. AFianco helps SMEs in Switzerland digitalise and automate their processes while keeping data under control, and applies the same standard to its own site (see our Privacy Policy). No hype, starting from your real processes.
Frequently asked questions
What is the nFADP?
The nFADP is the revised Swiss Federal Act on Data Protection, in force since 1 September 2023. It strengthens individuals' rights over their own data and brings Switzerland closer to European standards (GDPR), requiring those who process personal data to provide more transparency, security and control.
Does the nFADP apply to small businesses?
Yes. The nFADP applies to anyone who processes personal data, regardless of size: even a small business handles data on customers, employees and suppliers. Size reduces some formal obligations, but does not exempt you from complying with the law.
What are the main nFADP obligations for an SME?
Inform people transparently about which data you collect and why (privacy notice), ensure data security, respect individuals' rights (access, rectification, erasure), notify the FDPIC of significant breaches as soon as possible, apply privacy by design, and govern your relationships with suppliers who process data on your behalf.
What is the difference between the nFADP and the GDPR?
They are very similar in principle. The main differences: the nFADP provides for criminal penalties of up to CHF 250,000 on the responsible individuals (not administrative fines on the company as under the GDPR), generally does not require a DPO, exempts low-risk businesses with fewer than 250 employees from the record of processing activities, and requires breaches to be notified "as soon as possible" rather than within 72 hours.
Can I use ChatGPT at work while complying with the nFADP?
Yes, if you know which data you enter and where it ends up. Using an AI tool means processing data: choose plans or configurations with an adequate level of protection, avoid entering personal or confidential data into consumer versions, and define clear rules for the team. That's how you avoid so-called Shadow AI.