← Back to all briefings
Data Strategy 7 min read Published Updated Credibility 40/100

Data Strategy Briefing — September 24, 2023

The EU Data Governance Act now applies, obliging boards to establish stewardship oversight, stand up implementation tracks for data intermediation and altruism compliance, and align DSAR and reuse operations with new transparency and consent controls across the data economy.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

The European Union's Data Governance Act (DGA), Regulation (EU) 2022/868, became fully applicable on 24 September 2023. The DGA creates horizontal rules for the reuse of protected public-sector data, sets registration and conduct requirements for data intermediation services, and establishes a framework for recognised data altruism organisations. While the regulation aims to unlock more data sharing across the EU, it also introduces governance, implementation, and data subject interaction obligations for organisations that handle, broker, or steward data. Boards and privacy leaders must now integrate DGA compliance into broader data strategy, ensuring that operational controls align with General Data Protection Regulation (GDPR) duties and sectoral rules.

The DGA applies to a diverse set of actors: public-sector bodies making protected data available for reuse; private intermediaries providing data sharing platforms; data altruism organisations collecting consented data for the common good; and competent authorities registering and supervising these entities. The regulation supplements existing GDPR rights by imposing transparency, neutrality, and security obligations on intermediaries, and by emphasising human-centric consent mechanisms for altruistic data donations. Organisations that wish to participate in the emerging data economy must therefore expand governance structures to manage ethical and legal risks simultaneously.

Governance implications for boards and senior leadership

Boards should begin by assessing whether their organisation falls within the DGA's scope. Companies offering marketplaces or platforms for sharing personal or non-personal data likely qualify as data intermediation services and must adhere to neutrality obligations—prohibiting the use of shared data for competing purposes—and register with the relevant national authority. Governance committees should commission an inventory of data sharing activities, cataloguing datasets, participants, licensing models, and geographic reach. Board minutes should document decisions on whether to seek data intermediation registration, data altruism recognition, or to partner with recognised organisations.

Senior leadership must integrate DGA oversight into existing data governance councils. Cross-functional representation—from privacy, legal, security, product, ethics, and business units—ensures that decisions account for regulatory, technical, and commercial considerations. The council should establish policies covering neutrality, conflict-of-interest management, pricing transparency, and equitable access to services. Governance artefacts should include risk assessments for data sharing initiatives, referencing DGA requirements, GDPR compatibility, and potential competition law implications. Boards should receive periodic updates on registration status, supervisory authority interactions, and compliance metrics.

Organisations pursuing data altruism recognition must adopt additional governance mechanisms. The DGA requires altruism organisations to operate on a not-for-profit basis, implement specific consent management procedures, and maintain transparent reporting. Boards should oversee the creation of an ethics committee or advisory panel that evaluates requests for data access, ensures alignment with purposes of general interest, and reviews safeguards to prevent misuse. Annual activity reports must be approved by the governing body and published for stakeholders.

Implementation roadmap: registration, neutrality, and technical controls

Implementation efforts begin with registration processes. Data intermediation services must submit detailed applications to national competent authorities, describing corporate structure, service scope, safeguards, and compliance arrangements. Legal teams should prepare documentation covering security certifications, data management policies, and evidence of neutrality (e.g., functional separation from other business units). Technical architecture diagrams should illustrate how the platform segregates data, enforces access controls, and prevents unauthorised secondary use.

Neutrality is central to the DGA. Implementation teams must ensure that data intermediation services provide equal conditions for users, avoid discriminatory pricing, and refrain from harvesting metadata for competitive advantage. This may require establishing separate legal entities, firewalls between platform operations and other business units, and internal audits of pricing and access decisions. Contracts with data suppliers and users should clearly state rights, obligations, liability limitations, and dispute resolution mechanisms consistent with the DGA's fairness principles.

Security and interoperability controls must be strengthened. The DGA obliges intermediaries to implement appropriate technical and organisational measures, including encryption, access management, logging, and data integrity safeguards. Platforms should adopt standardised APIs, metadata schemas, and usage tracking to support accountability. For public-sector bodies releasing protected data, anonymisation or pseudonymisation must be robust, and any re-identification attempts should be prohibited contractually and monitored through audit trails.

Data altruism organisations face unique implementation tasks. They must deploy consent management tools that allow data subjects to give, withdraw, or modify permissions easily, aligned with the DGA's consent forms. Systems should support granular purpose selection, time-bound consent, and transparent information about recipients. Organisations must maintain detailed records of consent, data sources, and sharing activities, and they must provide annual reports to competent authorities. Implementing privacy-enhancing technologies (PETs) such as secure data enclaves, differential privacy, or federated analytics can reinforce trust and meet expectations for safe reuse.

Public-sector bodies must adapt internal processes to handle reuse requests within the timelines prescribed by the DGA. This includes establishing single points of contact, developing standard licence templates, and implementing mechanisms to evaluate applicant qualifications. Administrative systems should track requests, decision rationale, applicable conditions, and fee structures. When reuse involves personal data, bodies must coordinate with data protection officers to ensure compatibility with GDPR legal bases and safeguards.

Data subject rights, DSAR coordination, and user support

Although the DGA does not create new individual rights beyond those in existing privacy law, it reinforces the importance of responsive data subject interactions. Data intermediation services must provide tools that help data subjects exercise their GDPR rights, including access, rectification, erasure, and portability. DSAR processes should integrate with platform functionality, enabling users to view data sharing history, revoke permissions, and lodge complaints. Case management systems must record DSAR metadata—request type, verification steps, data assets involved—and coordinate with data providers to fulfil requests within statutory deadlines.

Consent management plays a central role in data altruism. Organisations must present user-friendly dashboards where donors can track who uses their data, for what purpose, and with what safeguards. When individuals withdraw consent, systems must propagate the instruction to all downstream recipients and log confirmations. DSAR teams should be trained to explain altruism frameworks, provide transparency reports, and liaise with researchers or public-interest projects to manage restrictions arising from withdrawals.

Public-sector bodies should also bolster DSAR capabilities. When releasing protected data that remains personal, they must ensure that data subjects can assert their rights. This may involve establishing secure communication channels, providing contact information for data protection officers, and cooperating with national data protection authorities. Additionally, bodies must offer mechanisms for individuals to object to reuse that could harm their interests; DSAR teams should coordinate with legal counsel to evaluate such objections and respond with reasoned decisions.

Trust is critical. Intermediaries and altruism organisations should set up independent complaint-handling mechanisms, publish performance metrics (e.g., DSAR turnaround, withdrawal rates), and engage with civil society to refine user support. Boards should review these metrics quarterly to ensure that DSAR operations align with both DGA requirements and organisational values.

Oversight, reporting, and continuous improvement

Compliance is an ongoing process. Data intermediation services must prepare to face supervision from national authorities, including audits, information requests, and potential penalties for breaches. Internal audit functions should schedule periodic reviews covering neutrality policies, security controls, DSAR performance, and contractual compliance. Findings should be logged in risk registers with clear remediation timelines and responsible owners.

The DGA requires transparency reporting. Data altruism organisations must publish annual activity reports detailing the data collected, purposes served, recipients, and results achieved. Governance teams should develop reporting templates, verify data accuracy, and ensure accessibility for stakeholders. Intermediaries may also consider voluntary transparency reports summarising key metrics, which can strengthen trust with regulators and users alike.

Training is essential to embed DGA obligations. Programmes should cover staff awareness of neutrality rules, consent management, DSAR handling, and incident reporting. Specialist training for product managers and engineers should explain interoperability standards, security expectations, and how to design user interfaces that respect consent and rights. Training completion should be tracked and tied to performance objectives.

Organisations should engage with the broader European data strategy ecosystem. Participation in data spaces, industry consortia, and standards bodies can provide early visibility into best practices and regulatory interpretations. Monitoring guidance from the European Data Innovation Board and the European Commission will help organisations adjust policies as the data economy evolves.

By embedding DGA compliance into governance structures, executing targeted implementation projects, and aligning DSAR and consent operations with the regulation's principles, organisations can unlock new data-sharing opportunities while maintaining trust and regulatory confidence across the European Union.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU regulation
  • Data intermediaries
  • Data sharing
Back to curated briefings