Thursday, 28 March 2024
Monde Economique by Elena Liotto, Head of Marketing Communications / Data Protection Advisor
While compliance is often linked to heavily regulated sectors like finance, healthcare, and legal industries, it is crucial to recognize that due to the unprecedented technological development of the past years, digital compliance extends far beyond these realms.
Small and medium-sized enterprises (SMEs), renowned for their agility and adaptability, are strategically positioned to serve as crucial innovation intermediaries within the supply chain ecosystem.
Digital compliance encompasses adherence to regulations and best practices concerning the use of digital technologies, data protection, cybersecurity, and online business practices. This article provides Swiss SMEs that are not engaged in offering financial services with an overview of the critical digital compliance trends.
1. Relevance of the EU Artificial Intelligence (AI) Act for Swiss companies
Understanding the approval of the AI Act by the European Parliament in February 2024 is particularly important for Swiss SMEs due to its extraterritorial reach and market access requirements, regardless of size. Swiss companies targeting EU clients or having subsidiaries in the EU must implement the law. The act impacts all players engaged in the AI-related domain, including users, providers, importers, distributors, and affected persons of AI systems.
Human-Centric Regulation
In a nutshell, the new law introduces a human-centric approach to regulating AI, based on seven underlying principles: Human Agency and Oversight, Technical Robustness and Safety, Privacy and Data Governance, Transparency, Diversity, Non-discrimination and Fairness, and Social and Environmental Well-being.
Risk-Based Classification
The rulebook introduces a risk-based classification for AI systems, distinguishing between unacceptable risk, high risk, limited risk, and minimal risk applications. While most AI systems, such as chatbots and deepfakes, pose limited to no risk (e.g., AI-enabled video games) and are still subject to a documented assessment, those deemed high-risk (e.g., medical diagnostics, transportation) will be subject to stringent obligations and registration procedures. Although the AI Act does not exempt SMEs from compliance, Article 55 outlines the resources and measures set to support them.
Subscription Type and Data Protection
Companies utilizing generative AI tools must carefully consider factors such as the purpose of the content, usage rights, and access permissions. Some systems offer business-friendly versions designed to comply with data protection regulations - like ChatGPT Team, ChatGPT Enterprise, or the API solution. Others, such as Gemini, Google's successor to Bard, may present challenges, requiring reassessment, as they may not be suitable for enterprise use and handling sensitive information.
The EU's AI law reflects global attitudes towards the challenges and opportunities presented by AI.
In October 2023, China introduced the Global AI Governance Framework, which coincided with the US issuing an executive order on AI regulation. Subsequently, 29 countries, including Switzerland, agreed in the UK to advocate for secure and ethical AI development. The question now is how Switzerland will amplify its contribution to the global framework for AI.
2. Online Business Practices
EU Digital Services Act (DSA)
Initially effective in August 2023 for large companies, the DSA expanded its reach from 17 February 2024 to include all companies. This legislation, amending the e-Commerce Directive, offers favorable implications for SMEs with an online presence. Its extraterritorial effects impact not only EU-based businesses but also numerous companies in Switzerland serving EU clients. The DSA targets intermediary services, hosting services, online platforms, and very large online platforms, aiming to protect the fundamental rights of users within the EU and promote growth and fair competition. While certain exemptions apply to small (fewer than 50 employees and an annual turnover of less than EUR 10 million) and micro-enterprises, all businesses are encouraged to engage in practices such as conducting regular audits, adhering to terms and conditions, aligning with content moderation standards, establishing an EU representative, and ensuring transparent advertising.
EU Digital Markets Act (DMA)
Effective from 2 May 2023, the DMA specifically targets large online platforms, also known as “gatekeepers,” and aims to foster fair competition and innovation within the digital market. For SMEs, understanding the DMA is crucial, as changes in policies on advertising, transparency, and moderation by these online giants may significantly affect the operational and business practices of their smaller collaborators. The DMA seeks to level the playing field by preventing gatekeepers from imposing unfair conditions on businesses and consumers, thereby ensuring a more competitive and dynamic digital sector.
3. Processing of Personal Data
Businesses, whether online or offline, must comply with personal data protection obligations under the Swiss Federal Act on Data Protection (FADP) and the EU General Data Protection Regulation (GDPR), both applicable extraterritorially to protect Swiss and EU citizens. Companies are required to process data lawfully and uphold individuals' rights. While Swiss law may exempt SMEs with fewer than 250 employees from certain mandates like the Record of Processing Activities (ROPA), the GDPR offers no size-based exemptions.
Overall, understanding compliance nuances is essential, focusing on data nature over company size.
4. Information Security
SMEs often underestimate the risk of cyberattacks, assuming their size makes them less of a target. This view unfortunately increases vulnerabilities, particularly with the rise of cloud-based solutions and outsourcing.
Despite utilizing advanced technologies, the ultimate responsibility for cybersecurity rests with the organization.
Following frameworks such as ISO 27001, which includes risk assessment, security policies, and incident management, among other aspects, allows SMEs to strengthen their cybersecurity measures and promote a culture of security awareness. It's crucial for SMEs to invest in regular cybersecurity training for employees. Educating them on best practices and threat recognition significantly enhances the organization's defensive capabilities.
Conclusion
Effective corporate governance is essential for promoting accountability, transparency, fairness, reliability, information security, and risk management within SMEs. By prioritizing cybersecurity, adhering to data protection regulations, embracing corporate governance principles, and by following the rapid development of the AI regulations, companies can build trust with customers, protect their assets, and thrive in today's digital economy. SMEs should not undermine the value of partnerships in enhancing digital compliance. Collaborating with technology providers, legal experts, and industry groups can offer SMEs additional resources and insights to navigate compliance challenges.