I am often asked how to get buy-in and sponsorship for a Privacy Programme. Spoiler alert scaremongering about €20 Million fines doesn't really work, so I decided to publish this guide to help Privacy teams get the support they need.

Managing this type of data is a tricky business and almost no organisation seems to be doing it in a way which respects privacy and data protection laws. Here are our key messages for those processing geolocation, vehicle data, connected car data and telematics data.

In this piece, I want to dive into some key points of the proposal, which if passed, have the potential to derail certain long term business strategies and to change the way IoT organisations are run.

Background Over the last 12 months, I have been leading workshops with OEMs, IoT product owners and business stakeholders, to discuss the proposed upcoming EU Data Act and how it will impact their organisation and business models. Over this time, I have become fascinated with the EU Data Act and, whilst it is not without its hurdles, I consider it to be a truly revolutionary move by the EU. I believe it will change how we view data creation, ownership, use and distribution. In fact, considering the colossal implications it is likely to have, it is surprising how infrequently I see it discussed. As we move into an era of big data, AI and machine learning, democratisation of data is pivotal - all of us generate data through our labour and our everyday actions, but few of us reap the rewards and profits of that data creation. I view the EU Data Act as an instrument to ensure that the benefits of this data are distributed evenly across society. Whilst it no doubt brings challenges, it creates infinite possibilities for all players - from manufacturers to individuals, businesses and service providers and of course public bodies. It will require careful consideration from organisation leaders, who will have to, once again, consider data at every stage of their strategy and operations - just like they did for GDPR, but this time for all data, not just personal data. Data protection professionals will certainly be key stakeholders and advisors on this journey and I am excited. This is the first in a series of articles about the EU Data Act. This initial piece is a very high level overview of the EU Data Act – what it is and where we are at. It will provide the foundation to my future articles, which will be deep dive ‘think pieces’ and analysis about the opportunities, threats and impacts of the proposed legislation. I will consider the Privacy and Data Protection, the Automotive industry, OEMs, Insurers, IoT manufacturers, businesses and consumers.  I should caveat that everything that you read is my interpretation and opinion at the time of writing. The EU Data Act hasn’t yet been finalised and is likely to evolve over time, as will the broader understanding of it. Please feel free to engage and even challenge in the comments for some healthy debate. What is the EU Data Act? The EU Data Act is a legislative proposal which aims to lay down consistent rules, specifying who is entitled to access data generated by the use of products or related services. Its goal is to ensure a greater balance in the distribution of the value from data. Why do we need the EU Data Act? Data-driven technologies have been transforming and driving all sectors of the economy. Products and services connected to the Internet of Things (IoT) have led to more data being generated than ever before. This data can be extremely valuable for consumers, businesses, and society, but there are massive barriers to gaining access to and sharing this data, including a lack of incentives for companies holding the data to share it, uncertainty about rights and obligations, high costs, fragmented data, lack of interoperability and data protection issues. These barriers prevent data being shared and used in a way that benefits society and the wider economy, so monopolies reign. The EU Commission states that 80% of industrial data is never used and believes the introduction of the EU Data Act will unlock the value of the data economy and act as an engine for innovation, competition and economic growth. What are the specific objectives of the EU Data Act? Some key points of the EU Data Act are still under negotiation, but the following broad goals are likely to apply: Design - Connected products and services should be designed in such a way that allow the User access to data generated by the use of that product or service. For the purpose of this proposed EU Data Act the User of a product or service could be an individual or organisation - for example an individual User would be a connected vehicle owner driving their vehicle, a business User could be an organisation who runs a fleet of connected vehicles. Both would be entitled to access data. Sharing data with Users – At the request of Users, data generated by the use of product or services should be made available to those Users or other data recipients providing services to those Users. Again, Users can be individuals or organisations. This means that organisations that are offering legitimate services to Users will be able to gain access to data that, prior to the introduction of the EU Data Act, may have been very difficult to obtain. For example insurers wishing to insure based on how an individual drives will be able to get access to the Insured's connected car data on the request of the User. Contractual terms – Ensuring fair contractual terms for data sharing agreements to prevent parties to contracts abusing imbalances in negotiating power to the detriment of weaker parties. In essence this means that big players won’t be allowed to impose unfair terms that disproportionately benefit them. Sharing data with public bodies -Where there is an exceptional need in the public interest, data holders will need to make data available to public bodies. Cloud Switching - Provisions of interoperability to facilitate switching between cloud and edge services easily, to avoid vendor lock-in, thus improving competition. Safeguards against unlawful transfers - Introducing defences against unlawful international governmental access to non-personal data. Whilst the EU has strict rules on how personal data may flow internationally, there are no protections for non-personal data. This part of the Data Act aims to introduce some safeguards from unlawful government access. Interoperability standards - Provide for the development of interoperability standards for data to be reused between sectors. What is the current status of the EU Data Act? The EU Data Act proposal has been reviewed by the EU Council and EU Parliament and they have each proposed amendments. EU institutions are now in trilogue discussions – a third scheduled for the 27th June 2023. The EU Data Act is likely to pass in 2023, some are saying sooner, rather than later. Does the EU Data Act only apply to EU companies? No it will be broader - there are still some minor points that will be clarified in EU negotiations, but it is likely to apply to the following: Organisations providing products or services on an EU market and the use of data generated in relation to the use or those products and or services. Data holders that make data available to recipients in the EU Users of products or related services in the EU that make data available to data recipients in the EU. Data recipients to whom data are made available. Public sector bodies that request data holders to make data available (where there is an exceptional need for that data for the performance of a specific task carried out in the public interest). Providers of data processing services to customers in the EU. Are there any exemptions for smaller organisations? The EU Data Act provides exemptions for micro and small enterprises as follows: A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. A micro enterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. The above applies, as long as these enterprises are not linked or partnered with other enterprises that do not qualify as micro or small. Depending on how the negotiations proceed, we may see other exemptions for medium enterprises and possibly tighter exemption qualifying criteria, whereby micro and small enterprises will still be in scope if they are subcontracted to manufacture a product or provide a service. When will the Data Act be effective? There is still some debate on the timeline for enforcement – as it stands it looks to be between 18 and 24 months after it enters into force. Will the EU Data Act apply retroactively? Maybe – if negotiations align with the EU Parliament’s view, then obligations under Article 4.1 to make the data generated by User’s use of a product or related service, will apply to products and services placed on the market 5 years before the EU Data Act came into force , as long as the provider of a related service is able to remotely deploy mechanisms to ensure the fulfilment of the requirements. Will organisations have to comply with the EU Data Act? Yes, there will be fines and penalties for non compliance. Conclusion The EU Data Act has far reaching scope and implications and creates endless opportunities and threats. Business leaders should be thinking about the EU Data Act now and considering how it will impact their strategy, roadmap and objectives. Has your organisation considered the EU Data Act? What opportunities and threats do you see and how are you preparing? Please follow our LinkedIn Page for future blogs on this topic and if your organisation requires support navigating the proposed EU Data Act, please visit www.dataactconsulting.com

Originally published June 2020.  I am old enough to remember 2019. In those days, most people had face to face meetings and sometimes even travelled to other countries just to get business done. Fast forward six months and meetings are taking place in the comfort of our own home. Video conferencing has surged and the most used sentence in the business world today is now “You’re on mute”.

Originally published in December 2017 - this GDPR project guide will help you plan your GDPR project and understand the order in which things should be done to avoid rework or missing important tasks. When it comes to GDPR projects, there is a tendency for businesses to focus on areas which seem to be quick wins or they are comfortable with, this is a big mistake on GDPR because there are key dependencies which means the order of task execution is important to the success for the project.