Non-Personal Data: How to Handle It & the Opportunities for Businesses

Non-Personal Data: How to Handle It & the Opportunities for Businesses

You might not use personal data in your business but did you know that you need to follow specific rules even for non-personal data?

And what about mixed data that contains both personal and non-personal information? The new Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data in the EU (Free Flow of Non-Personal Data Regulation), became applicable from 28 May 2019.

Together with the General Data Protection Regulation (GDPR), the two regulations now aim to provide for a stable legal and business environment on data processing.

The new Regulation prevents EU countries from putting laws in place that unjustifiably force data to be held solely inside national territory.

The aim of the new rules is to increase legal certainty and trust for businesses and make it easier for SMEs and start-ups to develop new innovative services, to make use of the best offers of data processing services in the internal market, and to expand business across borders.

To clarify further, the European Commission has published practical guidance which aims to help users, in particular small and medium-sized enterprises, understand the interaction between the new Regulation and the GDPR, especially when datasets are composed of both personal and non-personal data.

Let’s analyse this Regulation and see what needs to be done in order to stay compliant!

Personal, Non-personal or Mixed Data? Here’s How to Process Each.

The Commission’s guidance addresses the concepts of personal and non-personal data covered by each of the regulations.

While personal data is defined in the GDPR, non-personal data is defined in the Free Flow of Non-Personal Data Regulation as “data other than personal data as defined in point 1 of Article 4” of the GDPR.

Non-personal data is categorised by origin as:

  1. Data that originally did not relate to an identified or identifiable natural person, or
  2. Data that were initially personal data, but were later made anonymous. Note that anonymisation of personal data is different to pseudonymisation, the latter being processing of data that can ultimately be attributed to a person with the use of additional information.

In most everyday situations, a data set is likely to be a mixed data set consisting of both personal and non-personal data. In case of a mixed data set, the guidance sets the approach as follows:

  1. The Free Flow of Non-Personal Data Regulation applies to the non-personal data part of the set;
  2. The GDPR applies to the personal data part of the set;
  3. If the non-personal data and the personal data are “inextricably linked”, the data protection rights and obligations arising under the GDPR will apply fully to the whole mixed dataset, even if the personal data represents a small part of the set.

The New EU Regulation About Free Flow of Non-Personal Data Says:

No Data Localisation Requirements

The data localization requirements shall no longer apply: under the Regulation, the location of non-personal data for storage or processing within the EU shall not be restricted to the territory of a member state. As such, the free movement of data should be established.

Recommended Resource:  [INFOGRAPHIC] The ePrivacy Regulation & It’s Impact: Key Points at a Glance

In practice, this means that a cloud service provider in the EU may decide for itself where it stores non-personal data.

Data Still Needs to Be Available for Regulatory Authorities

The Regulation does not affect the powers of the regulatory authorities to request, obtain or access data for the performance of their official duties in compliance with EU and national law.

Access to data may not be refused to the regulatory authorities on the basis that the data are processed in another Member State.

Self-Regulation of Non-Personal Data for Healthy Competition

With respect to the portability of data, the European Commission will encourage and facilitate the development of self-regulatory codes of conduct at EU level in order to build a more competitive data economy.

Get a Head Start on Compliance

This new Regulation will certainly generate fewer headlines than its more famous cousin, the GDPR, and its impact will be much less significant.

While the aim of the Regulation is to be welcomed, its interaction with the GDPR could create difficulties.

The Regulation provides that where a data set is composed of both personal and non-personal data, this Regulation will apply to the non-personal data but it also states that where the personal and non-personal data in a data set are inextricably linked, this Regulation “shall not prejudice the application” of the GDPR.

Businesses that have already implemented processes and procedures such as data mapping, data inventory and the maintenance of records of processing activities as part of GDPR readiness will have a head start in getting ready for the new law.

Convert is ready and prepared for this law. Are you?

The Ultimate Privacy Vendors List
Originally published August 06, 2019 - Updated September 13, 2019
Dionysia Kontotasiou
Dionysia is Convert's Head of Integration and Privacy. Fresh off the GDPR compliance stretch you can find Dionysia helping customers with their technical queries and making homemade pizza in her spare time.
Guest Post Form

We have brought thought leaders, influencers, visionaries and veterans to our tribe. Now it’s your turn. If you have something worthwhile to share with a large community of savvy testers, go ahead and pitch your post idea. We’re listening.

Fill out our guest post form

CATEGORIES Privacy

COMMENTS

Leave a Reply

Your email address will not be published. Required fields are marked *

[hclightbox id='5' text='Anchor text']