What does Data Act compliance actually entail?
What does Data Act compliance entail exactly?
If my last three articles convinced you that you need to look at the Data Act as an unavoidable expense, then the next burning question is likely to be “so what exactly do I need to do before September 2025?”
This article will hopefully put you on the right path. Over the last year, the Greenhouse Group has gone deep down the rabbit hole of the Data Act text and interpreted and mapped every clause and related reference from a product compliance perspective. This has required extensive work as the act itself, in the words of one lawyer I spoke to, is “pretty badly written” and opens itself to diverse interpretation. As an abstract legal document, it also makes drafting requirement specifications only possible once every clause is analysed, filtered and interpreted from a relevance, intent and minimal viable compliance perspective.
To give you a feeling of what you will need to do for every legacy IoT product or solution, on or before September 12, here is a quick overview. This is not a solution that meets the broader e-commerce and API-driven data marketplace intent of the EU Commission but rather what an absolute minimum compliance solution would look like:
a) Your Ts and Cs will need to be updated and sent to every user specifying that they now are the effective data controller of their data and describing what they need to do to secure free machine-readable access to their data. Now is a good time to be reaching out to your legal advisors.
b) You will need to provide a digital interface where each of your data subjects can identify themselves with the intent of securing access to their data.
c) You will need to provide a mechanism in which your platform can respond to each data subject request from an identified user with a categorized description of which data you are holding on their connected products.
d) You will need to provide a mechanism in which each data subject can request that their data is provided to them in machine readable format with all metadata required for interpretation.
e) You will need to provide a mechanism for enabling the data subject to specify a designated third-party data receiver of their data.
f) You will need to provide a mechanism to create data sharing contracts between the data subject, yourself and the designated data receiver and to secure digital signatures from each party.
g) You will need to provide a mechanism to respond to each signed data request and retrieve the specified data and metadata from your data sources, redact PII, categorise trade secret data, package into a machine-readable file and deliver securely to the designated data receiver.
h) You will need to provide a similar mechanism towards all EU public bodies for the sharing of both anonymised and user-specific data for both statistical and public emergency use cases.
To enable this to happen, you will need to develop not only all user interfaces for data subjects and data receivers but also you will need to develop a back-end function capable of mapping and categorizing all user and device data across all products as well as providing your legal team with data governance tools towards said data. You will also need to ensure this access is secure and private as well as effectively minimising the archived record of each data sharing event.
That is a helicopter view of what minimum viable compliance for any legacy IoT products or solution would entail. If you were to embrace the intent of the EU Commission you would add an e-commerce site for data receivers to by data, provide full API access to them and deliver diverse 3PP initiated transaction flows. Currently overkill.
As it stands you have exactly 154 days to get all this done. If you need help generating a compliance requirement, feel free to reach out to us. In the next articles I will start to share the various vendors we have identified who could potentially simplify the process.
Antony
