The EU Data Act 2023: Navigating The Compliance Impact
Anthony
Apr 22, 2024
By 2025, transmission of 180 Zettabytes of data is projected within the EU. For context, 11 trillion gigabytes make 1 zettabyte. While GDPR does what it does best to protect the privacy and integrity of user data, the need for a regulation purpose built to cater to the age of IoT(Internet of Things) and cloud computing has emerged. That’s where the EU Data Act comes in.
Users interact with multiple online touchpoints daily to conduct commerce, share information, access financial assets, access healthcare, transportation, consume entertainment, and more.
These interactions are made seamless by offering nth-level integration with businesses, devices, networks, etc. Businesses enable (with speed and convenience) these interactions by processing user information via cloud computing, the Internet of Things, connected services, ML, NLP, AI, and several other models.
In this process they also create (generate) their own data on the data sets for predictive analysis, risk assessment, trend insights. These generated data sets are not often under the radar of compliance enforcement since no regulation addresses these use cases at depth. This leaves zettabytes of data in the gray area for businesses to play with.
The EU Data Act 2023 solves this by regulating the usage of these data sets. The EU Data Act 2023 is developed to ensure the security of these data sets and simultaneously offer users a broad degree of control over their information.
Let’s examine the EU Data Act 2023 and what it entails. We’ll also examine the business impact and how businesses need to prepare for the regulation.
Let’s dive in.
TL;DR
- Trillions of Gigabytes of generated data are unregulated and vulnerable to malicious usage globally. This act enforces security for generated data.
- Businesses that are in the purview of the scope of EU Data Act 2023 should become compliant by September 12, 2025
- Users now have access to view and import their smart data no matter which processing service is used by businesses
- Sheds light on the ownership and usage of machine-generated data by businesses and public sector bodies
Understanding the EU Data Act
Here’s the definition of the EU Data Act from European commission for public records– ‘’The Data Act is a comprehensive initiative to address the challenges and unleash the opportunities presented by data in the European Union, emphasizing fair access and user rights, while ensuring the protection of personal data.’’
Check out the video below to understand the intent behind EU Data Act 2023
EU Data Act: Better use of data for people, businesses and emergencies
While this is a simple definition (a little too simple if you ask us 🙂) the scope the regulators have laid out is vast, detailed, and objective.
Before we talk about the scope, it is essential to understand the key objectives of the EU Data ACT 2023. Visibility and clarity on the key objectives can help you understand how your business stands against the requirements and the processes required to become compliant.
The key objectives are:
- Regulate access to and the usage of metadata that is technology-generated (IoT, AI, connected devices, etc.)
- Enable service switch requests from users in the context of cloud services/apps
- Create a framework to share data using IoT with the EU region and encourage development of interoperability standards
- Enable users to access data generated from connected systems on request
- Grant enhanced privacy and security-related rights
- Ensure business processing data honors information requests in near real-time and make sure that it is provided in a clear and understandable format
- Right to data portability and allows access and copy of metadata generated from connected systems
- Apply sector-specific regulations for specific sectors (smart cars, health wearables, etc.)
- Ensure there are Data coordinators that will assist the legal bodies and competent authorities in ensuring the application and compliance of the EU Data Act
Businesses can only deny these service requests under these circumstances:
a) If the data could pose a threat to the security and safety of natural persons (real people)
b) Allowing access to view, copy, or share the data can compromise the manufacturer’s security capabilities; these instances are mentioned in the manufacturer’s privacy policy.
Get a wingman for your EU Data Act compliance
What is the impact of the EU Data Act, and how can your business leverage it?
Who are the involved parties?
Connected Products (Trackers, sensors, smart devices)
Data (Any facts or information collected by products about its users)
Related service (Services that can benefit from this data such as healthcare, FMCG, comms)
The EU Data Act will now encompass all kinds of connected product data, such as personal data, impersonal data, metadata, related service data, related product data, and intelligent contract data. This minimizes the exploitation of loopholes around data classification and compliance requirements to transmit data to regions with lenient security regulations illegally.
On the positive side, this increased interoperability between business processors (manufacturers and computing service providers) to share personal and metadata will have a significant impact across industries like healthcare, logistics, FMCG, the public sector, smart homes, smart cars, smart watches, construction, airlines, agriculture, mobility, communications, and a lot more.
For example, use cases in the public sector are innumerable. Access to emergency medical records in critical time-sensitive emergencies will now take seconds instead of 1-24 hours, access to medicine can now be streamlined based on real-time information, from cloud providers governing bodies can now be a step ahead instead of firefighting famines, floods, natural calamities, pandemics, etc. There is a lot of services to customers which can be optimized using data driven innovation.
As a business leader, you can leverage compliance with the EU Data Act 2023 to announce your commitment to data security and integrity to the world and your prospects. Becoming compliant will involve new processes and changes across the organization, the process is more straightforward if you are already GDPR compliant.
For businesses that are not GDPR compliant, it’s recommended to become compliant with the EU Data Act 2023 while they are in their GDPR journey. Think of the EU Data Act as an add-on since implementation modules for both are similar, thus increasing reusability.
As the EU Data Act is fairly new, it’s best to get help from compliance experts. It is always recommended to pick a compliance automation platform over traditional consultants to avoid wasting too many man hours and resources while still maximizing chance of success.
How to prepare your business for the EU Data Act 2023?
The EU Data Act 2023 requires businesses to adopt certain changes in their operations, security stacks, user access request prioritization, and more to become compliant. It also requires firms to create an interoperability bridge among other service providers, consumers, public organizations, etc., for smoother operations in data transfer to sources outside their business environments and between business.
The infrastructure supporting Interoperability for data transfers will likely be offered as standards by cloud service providers (AWS, Google Cloud, etc.), and it is very unlikely that businesses will have to build one from scratch.
Here are a few steps that companies will have to take to ensure compliance and fulfilment of contractual obligations:
- Businesses should focus on setting up systems and implementing processes to ensure service requests and sharing obligations are resolved in a timely manner and there is no unlawful data transfer of personal and non personal data.
- Upgrade your existing controls and administrative policies for Data portability to the requirements of the enhanced data portability act of the EU Data Act.
- Update your website’s privacy policy to meet the EU Data Act 2023 standards. Include a section mentioning the user’s right to collect their data from the data holder when their contract ends and the steps to do it.
- Also include all the instances when data requests are rejected and justify the reason. (ex: when data sharing could impact the security framework (or) damage the health,well being of a real person or violate the protection of trade secrets). In every scenario, it is important to address the user through official channels of communication.
- Including an escalation matrix of your compliance team (in big, bold font and bright, catchy colors) on your website helps users spot and use that information to contact the escalations officer and get their query addressed. This matrix can minimize missed SLA occurrences and double up as a feedback-collecting avenue. Enabling this is a significant step in the right direction and helps provide a baseline legal protection in terms of right intent.
Save 80% of man hours spent on EU Data Act 2023 compliance
Addressing Trade Secrets and Data Access Rights
According to Chapter II & Chapter III of the Data Act, a business can refuse to honor a data request, if sharing said data could lead to a compromised security structure of the business. The same applies if it gives competitors access to critical proprietary information that can be reverse engineered to gain an edge.
In instances where business holders deny access to data, they are expected to notify the National Competent body (this is the governing body). The user may choose to fight this decision by submitting a complaint or by convincing the data holder to appear in court for a settlement.
Addressing use by public & governmental bodies
Businesses are required to share data with public bodies and related orgs in instances of public emergencies and situations with ‘exceptional need’. Sharing data for Public emergencies will see no resistance, but, if the term ‘exceptional need’ is not listed and reason for data request justified, businesses might reciprocate to this with a lack of enthusiasm.
A mechanism to solve conflicts will smoothen the path to adoption. In instances where the justifications stated feel inadequate or inaccurate, a neutral independent body outside the scope of influence can help with conflict resolution.
What happens when a business ignores data requests?
Missing a data request SLA or not adhering to prescribed service request timelines leads to noncompliance and can lead to lawsuits, hefty fines, negative branding, undesirable churn, and opportunity loss.
You can save time and money, and minimize human intervention by deploying automation tools that automatically address common requests with purpose-built response models and alert your assigned users when a particular request needs attention.
Here are few scenarios that the European commission could add depth to :
- What happens after the data holder notifies the National Competent Body?
- The parameters that qualify ‘could compromise security ’ are not penned down, hence, are malleable to a certain degree and the parameters are likely to vary based on the size,scale, and financial position of the business.
- There is no article or chapter that prohibits the user from sharing their acquired data with businesses outside the EU.
- The role of a user needs more clarity and depth. For instance, a smart car manufacturer has 2 types of users i.e a B2B user and a B2C user, penning down what needs to be shared and what can be omitted with each user type will go a long way in building trust in the B2B space. On that note, what about those users who qualify for B2B & B2C criteria.
What does the future hold?
Just like you can’t cook a delicious meal without quality ingredients, you cannot make accurate forecasts or data models with inaccurate or incomplete data. The EU Data Act and its enhanced interoperability will bring in high-quality data for businesses to play around with while having safeguards to prevent abuse. Meeting the provisions of the act need to be a key part of your compliance strategy.
- Data sharing among businesses will open access to new, functional, and accurate data sets that would have otherwise never left their source ecosystems. As the scale of integrations and interoperability increases, businesses will start processing rich data that cater to specific niches and segments to get the most accurate results.
- Running experiments and analyzing data to make business decisions will not be the same anymore. Using rich data, businesses will have insights into near-real risk scenarios, product market fit, pricing analysis, points of failure, market penetration projection, and more. Business expansion plans will have a near-accurate glimpse of what lies ahead and the tools they’ll need to get there.
Here’s an example of how data sharing can help businesses go beyond:
A treadmill or smart gym is a connected object/product that has access to all kinds of data such as heart rate, pace, improvements, demographics and more.
Based on these data sets, the equipment manufacturer can build ICPs(Ideal Customer Personas) based on sex, age, fitness levels, and current interests, predicting the user journey for the next decade while calculating the impact of life events (marriage, promotions, stress).
This data can be shared with healthcare companies (Based on permissions being granted), and the healthcare company can target the customer with relevant healthcare checkups, yearly medical subscriptions, and more.
Analyzing data from multiple sources to map a holistic user roadmap and predict their near- and long-term future requirements can help users and businesses make informed decisions in resource planning, financial management, risk assessment, and visibility in the next steps. Businesses can leverage predictive analysis to predict the needs of a user a decade from now.
Role of compliance automation in preparation for EU Data Act 2023
A compliance platform like Sprinto helps organizations slash time and resources spent in their compliance journey by minimizing human intervention across the compliance life cycle. Sprinto’s Common Control Framework enables compliance reusability and eliminates the need to start from scratch. Since GDPR and EU Data Act 2023 are similar in multiple aspects, reusing existing infra optimizes for time, speed, and cost to the company.
Over 1000+ businesses have leveraged Sprinto to minimize the time taken to become compliant from months to weeks while spending a fraction of what they would have with traditional tools or consultants.
Leverage Sprinto to make your EU Data Act compliance journey a breeze. Talk to our experts today to get started.