DEV Community

Chrysa Natsopoulou
Chrysa Natsopoulou

Posted on

Decoding Data Compliance: A Dive into the Data Act & Data Governance Act

Welcome to our blog journey into the world of data rules!

Today, we're talking about two important game-changers—the Data Act and the Data Governance Act (DGA). Think of them as guideposts in the digital world, showing us how to handle data smarter. Let's dive in together to understand what these rules mean, how they shape our data future, and why it matters in our ever-evolving digital world.

Data Act and DGA are two regulations that are part of the European Data Strategy. The European Data Strategy aims to build a data market, where data can flow within Europe. This strategy comprises four key components, each addressing a distinct facet of the overall strategy:

Data Governance Act
Ensure TRUST in data sharing.

Data Act
Ensure FAIRNESS in the allocation of data value among the actors of the data economy.

Implementing Act under Open Data Directive
Unleash the socio-economic potential of data as material for INNOVATION in particular Small and Medium-sized Enterprises (SMEs).

Digital Market Act
Regulate MARKET POWER based on data.

Data Governance Act

We ought to contemplate the significance of the DGA regulation and explore the underlying reasons that prompted its creation. Well, the emergence of digital technologies and the increasing significance of data was the reason to create this regulation. As people share and use data, new problems and issues about its safety and responsible handling, have come up.

So, let's image DGA as a rulebook of how data, whether it is about personal or non-personal data, should be handled. Of course, it works alongside other rules like GDPR. The goal is to make data move freely in the EU, and everything related to data to be trustworthy and safe.

So what does the DGA actually do?

1. Reusing certain types of data held by public bodies in the EU
The law permits individuals to utilize government-provided valuable information for purposes such as research or projects.
2. Setting up a system to notify and oversee services that help with sharing data
The DGA establishes a mechanism for overseeing companies or services involved in data sharing, ensuring their adherence to regulatory guidelines.
3. Creating a way for groups collecting and using data for good causes to register voluntarily
In accordance with DGA, groups collecting data for legitimate reasons can opt to register and demonstrate their adherence to proper practices. Consider a neighborhood watch group gathering information on local incidents to bolster community safety. This group can affirm its commitment to using data for constructive purposes by adhering to the established regulations.
4. Establishing a board to promote innovative uses of data in Europe
The DGA forms a group that encourages coming up with new and cool ways to use data for the benefit of Europe. For example, researchers might analyze healthcare data to improve medical treatments.

But how DGA affects the area of cybersecurity?

Organizations that adhere to this regulation experience enhanced data management by establishing robust procedures for handling information. Additionally, compliance with DGA enables them to invest in cybersecurity tools and practices, including encryption techniques and Multi-Factor Authentication (MFA). DGA also promotes the importance of educating staff on responsible data practices and cybersecurity. Last but not least, companies are required to develop an incident response plan to effectively address cybersecurity incidents.

What do companies need to comply with the law?

DGA holds significant importance as it compels businesses to transform their approach to data management, evolving from mere protection to a more comprehensive framework. Consequently, here are some of the requirements expected from organizations and EU countries under the DGA:
Primarily, organizations are required to implement robust measures for the secure handling of data. This entails enforcing stringent access controls to ensure that only authorized individuals can access and utilize the data. Employing encryption techniques is mandatory to safeguard data during both transmission and storage. In a broader sense, organizations must establish a comprehensive data governance framework, delineating rules and procedures for effective data management to foster transparency and accountability. Furthermore, organizations are obligated to collaborate with competent bodies to ensure the seamless implementation of DGA's cybersecurity requirements across public sectors. For instance, if a government agency is tasked with enforcing cybersecurity measures in accordance with the DGA, collaboration with a cybersecurity expert organization may be essential to ensure correct interpretation and application of policies.

To ensure the effective implementation of the plan for reusing data, each EU country must:

  1. Select qualified individuals to spearhead the execution of this plan within their public offices.
  2. Establish a centralized platform where individuals can pose questions or submit requests for data reuse.
  3. Develop a streamlined process for handling data reuse requests within a specified timeframe following the receipt of each request.

The DGA entered into force on 23 June 2022 and is applicable since 24 September 2023.

DATA ACT

The DGA needs a companion...Today, the Internet of Things (IoT) revolution fuels exponential growth with projected data volume set to skyrocket in the coming years. Considering that 80% of data is unused due to trust barriers, the Data Act regulation was the next logical step that brings new rules for data sharing.
The Data Act aims to boost the EU's data economy by unlocking industrial data, optimising its accessibility and use, and fostering a competitive and reliable European cloud market. It seeks to ensure that the benefits of the digital revolution are shared by everyone.
This regulation specifically addresses data generated through connected products. The Data Act empowers users of connected devices, spanning from smart household appliances to intelligent industrial machines, to access data generated during their usage. This data is frequently held exclusively by manufacturers.

Which are the objectives of Data Act?

1. Empower Consumers and Companies using Connected Products
The primary objective is to empower individuals and businesses utilizing smart devices. For instance, with a smart thermostat, the Data Act aims to streamline the control and comprehension of how your data is utilized, offering greater transparency and control.
2. Increase Availability of Data for Commercial Use and Innovation Between Businesses
Moreover, with increased data accessibility for businesses, they can leverage it to generate innovative ideas. For example, if a weather station collects data, the Data Act could enable a company to utilize that information in developing a new app tailored for farmers.
3. Introduce New Mechanisms for Re-use by Public Sector Bodies of Data in Exceptional Situations
The subsequent objective is to permit government agencies to repurpose data during emergencies, utilizing information collected for one purpose to contribute to disaster response efforts.
4. Increase the Fluidity of the Cloud/Edge Market and Raise Trust in the Integrity of Cloud and Edge Services
The Data Act also influences cloud services, facilitating their optimal functionality and instilling trust in their security measures. For instance, if you utilize a cloud service to store photos, the Data Act may ensure the safety and security of your photos.
5. Establish a Framework for Efficient Data Interoperability
The final objective is to establish a system that enhances the seamless integration of various types of data. This implies that if you possess health data from a fitness app and wish to utilize it in a different app, the Data Act could formulate rules to facilitate a smooth and efficient process.

How can someone be compliant with Data Act regulation?

As the Data Act centers around smart devices, one essential requirement is that products with internet connections must be manufactured and designed to allow individuals easy access to their data without the need for a formal data access request. However, in situations where direct user access to the data is not feasible, the data holder, typically the provider of a connected service, is obligated to promptly and readily provide the data to the user upon request. The next requirement pertains to data owners and users who have the authority to cease access, usage, or sharing if it contravenes EU or country security laws. The final requirement pertains to the GDPR, stating that the Data Act does not impact rights and obligations under the GDPR, nor does it establish any new legal basis for processing personal data.

The Data Act also has implications for cybersecurity. It significantly impacts how companies manage data and address cybersecurity concerns. While advocating for increased information sharing, it also poses challenges, such as preventing unauthorized access, mitigating employee malware risks, and implementing robust encryption methods to ensure data security:
Increased Data Sharing
The Data Act pushes organizations to share data securely as they are now encouraged to share more data for various purposes.
Data Intermediation Services
The Act establishes regulations for managing data on behalf of others, such as a cloud storage company handling data for its clients.
Competition and Security Balance
The Act aims to ensure fair competition among companies in the data market. While encouraging healthy competition, it emphasizes the importance of not compromising the safety and security of the data.
Standardization and Security Measures
The Act may establish standards for data sharing, ensuring that organizations adhere to robust cybersecurity measures.
Data Innovation and Security
The Act incorporates regulations for establishing a European Data Innovation Board. While promoting new ideas is commendable, cautious consideration is essential for cybersecurity. The objective is to mitigate security risks that may emerge from experimenting with innovative approaches to data usage.

In 2023, the Council and the European Parliament reached a provisional agreement for Data Act and it will enter into force in Q3 2025.

And let's conclude with two quotes...

This is a significant milestone in the journey towards a single market for data. The Data act will optimise data use by improving data accessibility for individuals and businesses. This is very good news for our digital transformation.
Margrethe Vestager, Executive Vice-President for a Europe Fit for the Digital Age - 28/06/2023

Following the adoption of the Digital Services, Digital Markets and Data Governance Acts, today’s agreement forms another milestone in our efforts to re-shape the digital space. The Data Act will ensure that industrial data is shared, stored and processed in full respect of European rules. It will create a thriving data economy that is innovative and open, but on our European conditions.
Thierry Breton, Commissioner for Internal Market - 28/06/2023

Top comments (0)