Data, Privacy and AI risk services

Organisations in Switzerland are navigating a set of obligations the Swiss Data Protection Act (DSG), the EU General Data Protection Regulation (GDPR) for cross-border data flows, and increasingly complex questions around the EU AI Act. Regulatory expectations are rising, enforcement activity is increasing and the consequences of gaps - operational, reputational and legal - are real. Forvis Mazars in Switzerland supports organisations in identifying and managing data privacy risks, meeting GDPR, DSG and EU AI Act requirements, fulfilling data protection officer obligations and establishing governance frameworks for the responsible use of AI.

Data, privacy and AI risk services we provide

Data protection risk advisory
 

Many organisations process personal data across multiple systems, business functions and EU entities without a clear picture of where the risks actually sit. We identify, assess and manage data protection risks in a structured way, analysing existing processes, mapping data flows and developing practical measures to ensure lawful, secure and defensible handling of personal data under Swiss and EU law.

GDPR, DSG and EU AI Act assessments

Knowing you have a compliance gap is one thing, knowing exactly where it is and how to close it is another. We conduct systematic data protection assessments against the requirements of the EU General Data Protection Regulation (GDPR), the Swiss Data Protection Act (DSG) and the EU AI Act, reviewing organisational and technical measures, analysing data processing activities and delivering concrete, prioritised recommendations - not a theoretical report, but practical recommendations and measures for closing identified weaknesses.

DPO and Data Protection Office support

Not every organisation has the capacity to maintain a fully resourced internal data protection function. We take on the role of external Data Protection Officer (eDPO) under the GDPR or provide specialist support to an existing Data Protection Office, covering ongoing advisory, compliance monitoring, data protection impact assessments (DPIAs) and communication with supervisory authorities where required.

Audit and consulting on AI governance & AI risk

Deploying AI tools, including large language models, automated decision systems and platforms such as Microsoft Copilot creates regulatory, ethical and operational risks that most organisations are not yet managing systematically. We advise on establishing effective governance frameworks for AI use and review existing processes against regulatory, ethical and technical risk criteria, covering model risk assessment, transparency and explainability requirements, control mechanisms and measures to ensure AI systems are used responsibly and in line with applicable law.

When do organisations seek data protection, privacy and AI risk support?

Organisations come to us at a number of trigger points:
• Preparing for or responding to a review by the Federal Data Protection and Information Commissioner (FDPIC) or another supervisory authority
• Assessing compliance with the Swiss DSG
• Managing GDPR obligations for cross-border data transfers or EU-facing operations
• Deploying AI tools across the organisation and needing a governance structure to manage the associated risks
• Appointing or replacing a Data Protection Officer under the GDPR
• Conducting a data protection impact assessment (DPIA) for a high-risk processing activity
• Responding to a data breach or privacy incident

We work with organisations across banking, insurance, asset management, healthcare, manufacturing, technology, the public sector and many other industries. Any organisation that processes personal data, deploys AI systems or operates in a regulated environment in Switzerland. We support both Swiss-headquartered organisations and international groups with operations or data processing activities in Switzerland.
Expert assessing data privacy, AI risk and cybersecurity controls in a secure digital infrastructure environment.

FAQ about data, privacy and AI risk services

What should organisations consider when implementing AI or Copilot solutions?

Implementing AI tools such as Microsoft Copilot or other large language model-based systems raises data protection, governance and risk questions that need to be addressed before deployment. Key considerations include: which personal or confidential data the system can access and process, how that data is stored and retained, whether the processing is lawful under GDPR and DSG, what controls prevent misuse or unintended outputs and how decisions made or supported by the AI system are documented and reviewed. Organisations should conduct a data protection impact assessment (DPIA) for high-risk AI deployments and establish an AI governance framework covering accountability, transparency and ongoing monitoring.

When is a GDPR or data protection assessment necessary?

A data protection assessment is advisable when an organisation has not reviewed its data processing activities against current GDPR or DSG requirements, when new systems or processes are introduced that involve personal data, when preparing for a regulatory review or audit and when significant changes occur in the business, such as a merger, a new product or expansion into new markets. For high-risk processing activities, a formal data protection impact assessment (DPIA) is a legal requirement under both GDPR and the Swiss DSG.

What does an external DPO mandate involve?

An external Data Protection Officer acts as the responsible point of contact for all data protection matters, advising the organisation on obligations, monitoring compliance, supporting DPIAs, liaising with supervisory authorities and providing staff guidance. For organisations without a large internal legal or compliance function, an external DPO mandate provides consistent, qualified oversight at a defined scope and cost.

What is AI governance and why does it matter?

AI governance refers to the policies, processes and controls an organisation puts in place to ensure that AI systems are used responsibly, transparently and in line with applicable laws and ethical standards. As AI tools become embedded in operations, from document processing to customer interactions to internal decision support, the absence of governance creates regulatory, reputational and operational risk. In Switzerland, organisations deploying AI are increasingly expected to demonstrate that their systems are subject to meaningful human oversight and that risks have been assessed and managed.

How do organisations balance GDPR compliance with data-driven operations?

Compliance with the Swiss DSG and GDPR does not prevent data-driven work - but it does require that personal data is processed with a lawful basis, that individuals' rights are respected and that appropriate technical and organisational measures are in place. Organisations that invest in clear data governance structures, well-documented processing activities and regular compliance reviews can operate with confidence. A structured data protection assessment is typically the starting point for understanding where the gaps are and how to close them efficiently.

Plus d’infos ?