Hôtel BeauLac, Neuchâtel, Switzerland
12 October 2023
Masterclass Compliance II
True to its mission to inform and educate, the Fondation de la Haute Horlogerie organises seminars for professionals in the industry, with a particular focus on compliance-related topics. After a successful session in 2022, on the legal and regulatory framework for sustainable development, a second event took place in October 2023, again in Neuchâtel. Discussions covered data protection, cybersecurity and responsible procurement, and the session wrapped up with a round table on certification.
The day began with a reminder of the key takeaways from 2022: on the one hand, considerable advances towards greater sustainability have been made over the past twenty years, both in business and society at large. However, new risks have emerged, illustrated by the consequences of the war in Ukraine.
“Reasonable assurance”
Morgane Rivier, from the Federation of the Swiss Watch Industry, gave insight into this evolving environment with her keynote on Switzerland’s new data protection act which came into force in September 2023. Gilbert Chopard, managing director at Statom IT & Learning Solutions, then focused on data security, with case studies of two cyber attacks that revealed vulnerabilities in what were secure systems, resulting in data breaches.
For the final keynote, Céline Cheval, founder of Buyer Beware, talked about responsible procurement and a tendency within the watch industry towards a certain “commercial hypocrisy” among companies content to forward compliance declarations to their suppliers. Wrapping up the seminar, a round-table discussion highlighted the difficulties businesses face in navigating a maze of audits, standards and certifications; the solution being to adapt requirements to the size of a company and its specific risks, bearing in mind that the purpose of any standard is to provide civil society with “reasonable assurance”.
programme. programme. programme. programme. programme. programme. programme. programme
Introduction by Pascal Ravessoud
FHH Vice-President
New Swiss data protection legislation: what's at stake for the watch industry?
Holder of a Master's degree in health and biotechnology law and sports law from the University of Neuchâtel, Ms Rivier joined the legal department of the Fédération de l'industrie horlogère FH in 2009 for a few months' internship in the field of anti-counterfeiting. This internship led to a legal position, which she still holds today.
Since 2021, she has also been working for the FH as an IT project manager.
Over the years, Ms. Rivier has taken charge of files relating to data protection, US environmental legislation and, more recently, corporate social responsibility.
Having defined personal data, Morgane Rivier, from the Federation of the Swiss Watch Industry, outlined the content of the act with respect to processing of this data and companies’ obligations. The first of these is to maintain a record of all data processing activity (logging) and to inform individuals about the collection and use of their personal data (transparency). Consent is on an opt-out basis, except in cases of high-risk profiling or when processing sensitive data. Individuals have the right to access, rectify and erase their personal data, as well as the right to data portability (obtain their personal data in an accessible format).
Businesses are required to implement a risk-based data security strategy. This implies technical measures such as firewalls and antivirus software in addition to organisational processes, for example password management and reporting of data breaches. In this context, outsourcing personal data processing is a sensitive issue and is authorised only when the processor is compliant. Companies which use cloud storage services outside their country of origin must check that an adequate level of data protection is guaranteed. Until an agreement is reached between Switzerland and the United States, along the lines of the agreement already in place with the European Union, any transfer of data with a direct or indirect link to the United States is considered as “illicit”!
Supply chain security considerations: cybersecurity and how to protect against new risks
Gilbert Chopard is Managing Partner of Satom IT & Learning Solutions, one of whose fast-growing activities is strategic consulting in the field of data security and protection, in accordance with ISO 27701.
Gilbert Chopard holds an MBA in Finance from the University of San Francisco and a Master's degree in Solid State Physics from the University of Neuchâtel. He is CIPP/E, CPIM and ITIL certified, and is a committee member of several Swiss and international IT associations.
His professional career took place in the USA and England as an Investment Banker, then in Japan as a Private Banker, before returning to Switzerland to work in the IT sector, where he develops high value-added services for his group's companies.
Supply chain security is governed by a series of standards (ISO 28000 / ISO 27701). One of these, ISO 27001, concerns companies’ information security management systems (ISMS) and in particular those parts of the supply chain that are exposed to hackers. Two examples of providers that were targeted by hackers illustrate the risks: in June 2023 sensitive data belonging to the Swiss cantonal and federal police was exposed when hackers attacked IT services provider Xplain; in 2020 hackers used a software update offered by SolarWinds to customers including Microsoft, Intel, Cisco and the Pentagon to gain access to their networks.
In the luxury sector, risk assessment and management for outsourced functions such as ERP, automation processes, communication and storage must comply with in-house validation standards. Data must be secured across the entire supply chain, upstream and downstream. Vulnerabilities must be identified in-house as well as at providers and customers, and effective controls put in place. This process has to be manageable, hence adapted to the size of the company. One possible solution could be collective risk assessment by a group of companies within the supply chain.
Responsible purchasing applied to the watchmaking sector
Certifications and auditing: how will they evolve in terms of mutualization and cross-recognition?
Michel Mooser is a consultant and trainer in quality and environmental management systems for the public and private sectors, and in ESG project development.
He holds a Master's degree in engineering from ETH Zurich and 2 Master's degrees from EPFL in environmental sciences and environmental auditing.
Delegate for the ICRC (International Committee of the Red Cross) in Pakistan, Liberia, the Philippines and the former Yugoslavia;
He has over 24 years' experience as an auditor and more than 10 years' experience as a verifier of sustainable development and greenhouse gas emissions reports.
Mr Mooser has worked for clients both in Switzerland and abroad. He has worked for the watchmaking industry for many years, including as an auditor for the RJC. He is currently audit manager for SGS.
Former General Manager of Toshiba Consumers France, then CEO of Orest s.a., leading subcontractor to international luxury jewelry brands, Charles C. joined Piaget from 2002 to 2009 as Executive Vice President in charge of the Jewellery Business Unit.
In 2009, he was appointed Corporate Social Responsibility Director and member of Richemont SA's CSR and Reputation Committees. He will provide strategic support and Corporate Affairs to the Group's Brands until 2019.
At the same time, Charles C. was heavily involved in the development of the Responsible Jewellery Council, of which he remained a member of the executive committee for 10 years, holding positions including Vice-Chairman and Chairman.
Certified Corporate Director and Expert Consultant; member of the Cultural Council of the FHH, member of the Board of Directors of the Haute Ecole de Joaillerie de Paris and of leading companies in this sector in Europe.
Graduated Major from Sup de Co Bordeaux, MBA from University of Montreal and Ch.B.A. accredited.
The seminar ended with a roundtable discussion, moderated by Michel Mooser, lead auditor at Société Générale de Surveillance, and Charles Chaussepied, consultant, former CSR director at Richemont and for ten years a Responsible Jewellery Council board member. One of the main observations was that companies are obliged to integrate more and more regulations and requirements into their processes, resulting in a succession of audits on cybersecurity, carbon emissions, supply chain traceability, etc. The number of (sometimes contradictory) standards is also increasing exponentially. Suppliers must also adapt to meet the demands of clients: large companies, each with its own set of requirements. Are we asking too much, with too many buyers and too many audits in too many areas – a situation which, incidentally, has given rise to a fast-growing business of service providers offering assistance with certification and compliance.
Ultimately, it all comes down to adapting solutions to a company’s resources, risk exposure and ESG objectives. Businesses should support their suppliers, keeping in mind that the purpose of any standard is to prioritize resources.