You might not use
personal data in your business but did you know that you need to follow
specific rules even for non-personal data?
And what about mixed data that contains both personal and non-personal information? The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), became applicable from 28 May 2019.
Together with the General Data Protection Regulation (GDPR), the two regulations now aim to provide for a stable legal and business environment on data processing.
The new
Regulation prevents EU countries from putting laws in place that unjustifiably
force data to be held solely inside national territory.
The aim of the new rules is to increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.
To clarify further, the European Commission has published practical guidance which aims to help users, in particular small and medium-sized enterprises, understand the interaction between the new Regulation and the GDPR, especially when datasets are composed of both personal and non-personal data.
Let’s analyse this Regulation and see what needs to be done in order to stay compliant!
Personal, Non-personal or Mixed Data? Here’s How to Process Each.
The Commission’s guidance addresses the
concepts of personal and non-personal data covered by each of the regulations.
While personal
data is defined in the GDPR, non-personal
data is defined in the Free Flow of Non-Personal Data Regulation as “data other than personal data as defined in point 1 of Article 4” of the
GDPR.
Non-personal data is categorised by origin as:
- Data that originally did not relate to an identified or identifiable natural person, or
- Data that were initially personal data, but were later made anonymous. Note that anonymisation of personal data is different to pseudonymisation, the latter being processing of data that can ultimately be attributed to a person with the use of additional information.
In most everyday situations, a data set is
likely to be a mixed data set consisting of both personal and non-personal
data. In case of a mixed data set, the guidance sets the approach as follows:
- The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the set;
- The GDPR applies to the personal data part of the set;
- If the non-personal data and the personal data are “inextricably linked”, the data protection rights and obligations arising under the GDPR will apply fully to the whole mixed dataset, even if the personal data represents a small part of the set.
The New EU Regulation About Free Flow of Non-Personal Data Says:
No Data Localisation Requirements
The data localization requirements shall
no longer apply: under the Regulation, the location of non-personal data for
storage or processing within the EU shall not be restricted to the territory of
a member state. As such, the free movement of data should be established.
In practice, this means that a cloud service provider in the EU may decide for itself where it stores non-personal data.
Data Still Needs to Be Available for Regulatory Authorities
The Regulation does not affect the powers
of the regulatory authorities to request, obtain or access data for the
performance of their official duties in compliance with EU and national law.
Access to data may not be refused to the regulatory authorities on the basis that the data are processed in another Member State.
Self-Regulation of Non-Personal Data for Healthy Competition
With respect to the portability of data, the European Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level in order to build a more competitive data economy.
Get a Head Start on Compliance
This new
Regulation will certainly generate fewer headlines than its more famous cousin,
the GDPR, and its impact will be much less significant.
While the aim
of the Regulation is to be welcomed, its interaction with the GDPR could create
difficulties.
The Regulation provides that where a data set is composed
of both personal and non-personal data, this Regulation will apply to the
non-personal data but it also states that where the personal and non-personal
data in a data set are inextricably linked, this Regulation “shall not
prejudice the application” of the GDPR.
Businesses
that have already implemented processes and procedures such as data mapping,
data inventory and the maintenance of records of processing activities as part
of GDPR readiness will have a head start in getting ready for the new law.
Convert is ready and prepared for this law. Are you?