Data protection goes beyond the GDPR

When it comes to data security, the focus is often on personal data – the same protection must also be guaranteed for data without any personal reference. Those responsible for security should definitely consider the data strategy of the EU.


At the latest since the GDPR (General Data Protection Regulation) came into force, the topic of data protection has been on everyone’s lips. However, data security is far from just about the security of personal data. The protection goals of confidentiality, integrity and availability must also be guaranteed for data without any personal reference. Therefore, in addition to the much-discussed GDPR, those responsible for security should also take into account the entire data strategy of the EU in order to derive requirements for the security of their data. Particularly noteworthy here are the Data Governance Act and the Data Act, which we will discuss in more detail below.


European Data Governance Act

As a central pillar of the European data strategy, the Data Governance Act aims to do this , increase trust in data sharing, strengthen mechanisms to improve data availability and overcome technical barriers to data reuse. In addition, it should also support the establishment and development of common European data spaces in strategic areas involving both private and public actors. The data governance came into force on June 23, 2022 and will apply from September 2023 after a 15-month grace period.

The Data Governance Act provides specific safeguards for public sector data and data brokerage services to prevent the unlawful international transfer of non-personal data or unlawful international access by government organizations to it.

For those responsible for security, it is important to know that the regulation provides for the following, among other things:

  • A set of measures to increase trust in data sharing, as lack of trust is currently a major barrier and high cost.
  • A novel role for data intermediaries as trusted organizers of data sharing.
  • Ways and means by which Europeans can take control of the use of the data they generate.


“You don’t have to share all data. But if you share data and it’s sensitive, you should be able to do so in a way that ensures trustworthiness and privacy of the data. We want businesses, but we want citizens too and give citizens the tools to stay in control of their data, and to give confidence that data is treated in accordance with European values and fundamental rights.” Margrethe Vestager (Executive Vice-President for a Europe fit for the digital age)

European Data Act

The proposal for a regulation on harmonized rules for fair access to and use of data – also known as Data Act – was adopted by the Commission on February 23, 2022. The Data Act is an important pillar of the European data strategy.

While the data governance regulation goes the processes and structures to facilitate the handling of data, the data law clarifies who can create added value from data and under what conditions. It aims to ensure fairness by establishing rules for the use of data generated by Internet of Things (IoT) devices. In addition, the Data Law aims to ensure coherence between data access rights, which are often developed for specific situations and with different rules and conditions.

Security officials should know that the Data Act includes the following:

  • Means for public authorities to access and use data held by the private sector as needed in special circumstances, notably public emergencies, or to carry out a legal mandate when the data is not otherwise available</li >
  • New regulations to enable customers to effectively switch between cloud service providers
  • Introduction of protective measures against unlawful data transfers