The European Commission has published guidance on the free flow of non-personal data.
In accordance with its obligation under the regulation on the free flow of non-personal data (FFD Regulation), the European Commission has released the guidance to help SMEs understand datasets composed of non-personal and personal data. Its aim is to clarify interactions between FFD and GDPR.
Guidance documents clarify rules which apply when processing personal and non-personal data, giving practical terms and examples to ease understandings.
Private businesses, particularly small and medium-sized enterprises, organisations and other entities which process data were the primary focus for the advice. This covers the producing, collecting, storing, transmitting, and processing of data; however, even businesses which solely process non-personal data are recommended to use the guidance as it offers localisation requirements.
The European Commission also hopes this will reaffirm consumer trust that their information is treated with security and care.
In the guidance, it identifies the interaction of FFD and GDPR, the interplay between the two regulations regarding the free flow of data, and explains the concepts of the two data types and which rules apply for processing mixed datasets.
Additionally, the guidance clarifies the idea of data portability and how this differs between GDPR and FFD.
Codes of conduct for data porting and switching data processing service provides are covered by in document as well as the role of self-regulatory work. Finally, the guidance offers advice on the free movement of data within the EU and data localisation requirements.
Non-personal data constitutes as information not related to a person, such as weather conditions or technology maintenance, or data which was initially personal but has been made anonymous.
A mixed dataset consists of both personal and non-personal data, such as tax records which offer the name and telephone number of a company’s managing director but also incident reports. The regulations do not require mixed datasets to be split or for them to be processed separately.
If both types of data are inextricably linked in the mixed dataset, data protection rights and obligations under GDPR apply to the full dataset.
There are no contradictory obligations under GDPR and FFD, with both encouraging the free flow of data.
Copyright © 2018 RegTech Analyst