The EU is amidst major reforms regarding the use of personal data. Last month, the European Commission adopted the EU DGA (Data Governance Act), which contains a set of rules designed to increase access to public sector data for the development of new products and services.
The DGA applies not only to personal data but to “any digital representation of acts, facts or information”. Its rules entered into force on 23 June and take effect in September 2023.
It follows the introduction of the EU Digital Markets Act, which was approved by the European Commission earlier this month, alongside the Digital Service Package.
What is the EU Data Governance Act?
The DGA creates a framework to facilitate date sharing. It will do so with a series of data intermediation services that intend to provide a secure environment for organisations or individuals to access information.
For organisations, those services will help them fulfil legal obligations regarding data sharing. The DGA promises to make it easier for organisations to distribute data, and will remove the fear of misuse or losing their competitive advantage.
Although the DGA isn’t solely concerned with personal data, its rules will have a significant impact on the GDPR (General Data Protection Regulation). The Act gives individuals more control over their personal data, providing them tools to manage the way their information is accessed.
The DGA also encourages the wider re-use of data held by public sector bodies. This will be achieved with the use of secure processing environments and data anonymisation, which legislators believe could drive further use of such techniques beyond the public sector.
Another core component of the DGA is the creation for a licensing regime for “data intermediaries”. These are organisations offering data marketplaces and consent management platforms.
Data intermediaries will be required to meet licence conditions that designed to ensure their independence and restrict the reuse of data and metadata.
The DGA was signed into force by the President of the European Parliament and the President of the Council of the European Union on 30 May 2022, and published in the Official Journal of the European Union later that week.
It entered into force on the 21 June 2022, and it will take effect 15 months later.
Although that date seems a long way off, it’s always advisable for organisations to stay on top of the latest regulatory developments and ensure they have the knowledge to anticipate and respond to industry changes.
If your organisation has a DPO (data protection officer), they will be able to advise you on how to proceed. Even if you aren’t legally required to appoint one, the potential for regulatory change demonstrates why it’s helpful to have internal expertise.
There are many ways that organisations can appoint a DPO or someone in a similar role, so if you’re worried about the cost of hiring a full-time expert, you needn’t be. One option is to appoint an internal candidate, while another is to hire a third party on a service contract.
You can find out more about hiring a DPO and the advice they can give you about regulatory changes on our website.