Data sharing is a critical component in various fields and industries, offering numerous business benefits that can enhance decision-making, collaboration, innovation, and efficiency. Additionally, data sharing can help governments, stakeholders, and the general public to access information that can be used to hold organizations accountable for their actions.
However, it is important to address data sharing challenges such as data privacy, security, and ownership. The European Union approaches these challenges through the Data Governance Act (DGA), but how can an organization best approach the DGA’s compliance requirements for secure data management?
- A.5.1 Policies for information security
- A.5.9 Inventory of information and other associated assets
- A.5.12 Information classification
- A.5.14 Information transfer
- A.5.15 Access control
- A.5.19 Information security in supplier relationships
- A.5.31 Legal, statutory, regulatory and contractual requirements
- A.6.2 Terms and conditions of employment
- A.6.3 Information security awareness, education and training
- A.8.21 Security of network services
- A.8.24 Use of cryptography
What is the Data Governance Act?
The Data Governance Act (DGA) is a legislative framework proposed by the European Commission to facilitate data sharing across the European Union. It entered into force on June 23, 2022, and became fully effective on September 24, 2023.
The DGA is designed to build trust in data sharing mechanisms and to provide clear rules and structures for data governance by, in practice:
- encouraging the reuse of specific categories of protected data held by EU public sector entities
- establishing a regulatory framework for organizations offering data sharing intermediation services
- introducing the concept of data altruism (i.e., voluntary data sharing for the common good and without compensation beyond the costs to make the data available)
- establishing the European Data Innovation Board (EDIB) to advise and assist the European Commission with the DGA’s implementation
The DGA is applicable to data sharing service providers and data altruism organizations.
Security aspects of the DGA
The DGA aims to enhance data availability and to ensure trust and compliance with data protection regulations, enabling the free flow of data across sectors and member states. In terms of secure data management, it means for data sharing service providers and data altruism organizations to:
- ensure the safe reuse of personal data and commercially confidential business data for research, innovation, and statistical purposes
- comply with established requirements for data sharing
- implement organizational and/or technical controls to facilitate data altruism
- ensure secure international data transfer to entities outside EU borders
What is ISO 27001, and how can it help you comply with the DGA?
In simple terms, ISO 27001 is the ISO standard that describes how to manage information security in an organization, through the application of management practices and security controls. Several of these controls are equally applicable to the protection of information confidentiality, integrity, and availability in sharing information.
Based on a risk assessment and treatment approach, and on the identification of applicable legal requirements (e.g., laws, regulations, and contracts), ISO 27001 can help organizations improve the security of data sharing in the following ways:
Control | Rationale | Documentation | Additional references |
A.5.1 Policies for information security | Develop policies that address the secure aspects of data sharing according to the DGA | Any security policy or a procedure | 8 criteria to decide which ISO 27001 policies and procedures to write |
A.5.9 Inventory of information and other associated assets | Maintain an inventory of shared information and their associated assets | Inventory of Assets | Asset management according to ISO 27001: How to handle an asset register / asset inventory |
A.5.12 Information classification | Classify shared data based on its sensitivity and apply appropriate security measures | Information Classification Policy | How to classify information according to ISO 27001 in four steps |
A.5.14 Information transfer | Define rules, procedures, or agreements on how information must be shared within the organization and with other parties (e.g., by which channels, between whom, etc.) | Information Transfer Policy | |
A.5.15 Access control | Implement access controls to ensure that only authorized individuals can access environments that store or process shared information | Access Control Policy | How to handle access control according to ISO 27001 |
A.5.31 Legal, statutory, regulatory and contractual requirements | Identify and comply with legal and contractual requirements related to information sharing | List of Legal, Regulatory, Contractual and Other Requirements | How to identify ISMS requirements of interested parties in ISO 27001 |
A.6.2 Terms and conditions of employment | Sign security clauses with all people who can share information with external parties | What to consider in security terms and conditions for employees according to ISO 27001 | |
A.6.3 Information security awareness, education and training | Make people understand why and how to protect shared information | Training and Awareness | How to perform training & awareness for ISO 27001 and ISO 22301 |
A.8.21 Security of network services | Apply secure configuration to network services that are used to share information | Security Procedures for the IT Department | How to manage the security of network services according to ISO 27001 A.13.1.2 |
A.8.24 Use of cryptography | Encrypt data in transfer | Policy on the Use of Encryption | How to use cryptography according to ISO 27001 control A.8.24 |
Don’t let insecure data sharing practices impair your business activities
The Data Governance Act and ISO 27001 serve different primary purposes, but they can complement each other in establishing a robust framework for data management and security. The DGA focuses on facilitating data sharing and reuse across the EU, while ISO 27001 provides a framework for managing information security.
Being in compliance with the DGA involves establishing policies, processes, and procedures to ensure the protection, accuracy, consistency, and integrity of shared data. By implementing such practices, organizations can improve data quality, enable effective data management, and support data-driven decision-making.
By integrating ISO 27001’s systematic approach to information security into the implementation of the Data Governance Act, organizations can create a secure and efficient data governance framework that meets regulatory requirements and promotes trust in data sharing and reuse, preventing insecure practices that could impair business.
To protect data sharing using ISO 27001, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.