Data protection goes beyond the GDPR
When it comes to data security, the focus is often on personal data – the same protection must also be guaranteed for data without any personal reference. Those responsible for security should definitely consider the data strategy of the EU.
At the latest since the GDPR (General Data Protection Regulation) came into force, the topic of data protection has been on everyone’s lips. However, data security is far from just about the security of personal data. The protection goals of confidentiality, integrity and availability must also be guaranteed for data without any personal reference. Therefore, in addition to the much-discussed GDPR, those responsible for security should also take into account the entire data strategy of the EU in order to derive requirements for the security of their data. Particularly noteworthy here are the Data Governance Act and the Data Act, which we will discuss in more detail below.
European Data Governance Act
As a central pillar of the European data strategy, the Data Governance Act aims to increase trust in data sharing, strengthen mechanisms to improve data availability and overcome technical barriers to data reuse. In addition, it should also support the establishment and development of common European data spaces in strategic areas involving both private and public actors. The data governance came into force on June 23, 2022 and will apply from September 2023 after a 15-month grace period.
The Data Governance Act provides specific safeguards for public sector data and data brokerage services to prevent the unlawful international transfer of non-personal data or unlawful international access by government organizations to it.
For those responsible for security, it is important to know that the regulation provides for the following, among other things:
- A set of measures to increase trust in data sharing, as lack of trust is currently a major barrier and high cost.
- A novel role for data intermediaries as trusted organizers of data sharing.
- Ways and means by which Europeans can take control of the use of the data they generate.
“You don’t have to share all data. But if you share data and it’s sensitive, you should be able to do so in a way that ensures trustworthiness and privacy of the data. We want businesses, but we want citizens too and give citizens the tools to stay in control of their data, and to give confidence that data is treated in accordance with European values and fundamental rights.”
— Margrethe Vestager (Executive Vice-President for a Europe fit for the digital age)
European Data Act
The proposal for a regulation on harmonized rules for fair access to and use of data — also known as the Data Act — was adopted by the Commission on February 23, 2022. The Data Act is an important pillar of the European data strategy.
While the data governance regulation goes the processes and structures to facilitate the handling of data, the data law clarifies who can create added value from data and under what conditions. It aims to ensure fairness by establishing rules for the use of data generated by Internet of Things (IoT) devices. In addition, the Data Law aims to ensure coherence between data access rights, which are often developed for specific situations and with different rules and conditions.
Security officials should know that the Data Act includes the following:
- Means for public authorities to access and use data held by the private sector as needed in special circumstances, notably public emergencies, or to carry out a legal mandate when the data is not otherwise available
- New regulations to enable customers to effectively switch between cloud service providers
- Introduction of protective measures against unlawful data transfers
Data Protection & EU Data Strategy – Frequently Asked Questions
Does data protection in the EU only cover personal data under the GDPR?
No. While the GDPR protects personal data, security objectives like confidentiality, integrity and availability also apply to non-personal data. The EU data strategy (e.g., Data Governance Act and Data Act) adds safeguards for sharing and reusing non-personal and industrial data.
What is the core idea of the Data Governance Act (DGA)?
The DGA aims to increase trust in data sharing, enable reuse of public-sector data, and remove technical barriers. It introduces trustworthy data intermediaries and safeguards to prevent unlawful international transfer or access to non-personal data.
Who are “data intermediaries” under the DGA?
They are neutral, trusted entities that organize data sharing between data holders and users. They must operate with strict neutrality and transparency and are subject to oversight to build trust in data exchange.
How does the Data Act differ from the DGA?
The DGA focuses on governance, trust and mechanisms for data sharing. The Data Act defines who may access and use data, under what conditions, and sets fair-use rules—especially for data generated by IoT devices and industrial systems.
Can public authorities access private-sector data under the Data Act?
Yes, in narrowly defined exceptional cases (e.g., public emergencies or when required by law and data is otherwise unavailable). Such access is subject to safeguards and proportionality.
What does the Data Act say about switching cloud providers?
It establishes rules to make switching between cloud and edge services easier, reducing vendor lock-in and enabling portability and interoperability across providers.
How are international data transfers addressed outside the GDPR?
The DGA provides safeguards for non-personal data against unlawful international transfer or access by foreign authorities. Organizations should evaluate both GDPR rules (for personal data) and DGA protections (for non-personal data).
What should security officers prioritize in practice?
Map data types (personal vs. non-personal), define sharing/use cases, select compliant intermediaries, enforce technical and organizational controls, and plan for portability and lawful public-sector access scenarios under the Data Act.
