Skip to main content

Data act

Currently, the Data Act (DA) is in the process of being adopted by the European Union parliament. The latest version aims to give users of objects or devices full access to the data — both personal and non-personal — they generate.
Abstract dark blue image

Currently, the Data Act (DA) is in the process of being finalised by the European Parliament and Council. The latest version aims to give users of objects or devices full access to the data — both personal and non-personal — they generate.

Manufacturers do not always design products in a way that allows consumers, businesses, and public authorities to take full advantage of the digital data they create when using internet of things (IoT) objects. This can create a situation where there is no ability to access and utilise this digital data.

The rules will apply not only to manufacturers but also to providers of connected products and services available in the EU, those who receive or hold data in the region, and providers of data processing services offered there.

The latest version of the Data Act includes measures:

  • To enable users of connected devices to access the data they generate and share this data with third parties to provide after-sales or other innovative data-driven services.
  • To rebalance the bargaining power of small and medium-sized enterprises (SMEs) by preventing the abuse of contractual imbalances in data-sharing contracts. The DA will shelter SMEs from unfair contractual clauses imposed by a party with a significantly stronger bargaining position.
  • To enable public bodies to access and use data held by the private sector that is needed in exceptional circumstances, particularly in public emergencies such as floods and fires, or to implement a legal mandate if the data is not otherwise available.
  • To allow customers to switch between providers of data processing services in the cloud and implement safeguards against illegal data transfer.


Importantly, the latest version of the act leaves the door open for the EU to update the legislation, as necessary, allowing them to be more reactive as market conditions evolves.

How should organisations respond to the proposed Data Act?

Organisations will need to assess the impact of the proposed DA on their business and business model, identifying where changes are needed and where further attention needs to be paid to current processes. The data available from IoT objects used by organisations could offer insights on efficiencies that help improve operations and create financial gains.

Trusted advisers can help organisations understand how this act can be applied within their existing framework by:

  1. Helping companies establish an effective data strategy to include how data is named, stored, processed, and shared. A complete data strategy assists the organisation in using data to generate value while enabling data quality, data security, compliance, and accessibility.
  2. Assisting in mapping the flow of data within the organisation's systems and processes. Creating a data inventory to identify the types of data being collected, stored, and processed, as well as the legal basis for processing.
  3. Guiding organisations in conducting assessments of the impact of data protection on high-risk data processing activities. Helping identify and mitigate potential privacy risks associated with specific projects or processes.
  4. Defining the technical and non-technical minimum requirements to promote DA compliance (data sharing conditions and compensations, balanced data contracts, collaboration with public administration, and so forth). If you are a data space operator and/or a data processing service provider, a set of essential requirements regarding interoperability should be defined as well.
  5. Advising on the implementation of vendor management processes to ensure that third-party service providers comply with DA requirements. This includes drafting balanced data-sharing agreements.

A comprehensive plan that covers all the new legislation covered by the EU’s digital strategy can create opportunities as well as mitigate risk. Read more about the opportunities created by Artificial Intelligence Act.

Sign-up for the series and stay informed

This is just the second episode in our insightful and informative series “Prepared for the unexpected: the dynamic risks series”. If you would like to be notified when the next instalment is available click here.

The article is for information purposes only. Marsh makes no representation or warranty as to its accuracy. Marsh shall have no obligation to update the article and shall have no liability to any party arising out of this document or any matter contained herein. Any statements concerning actuarial, tax, accounting, labour, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting, labour, or legal advice, for which clients should consult their own professional advisers. Any analysis and information are subject to inherent uncertainty, and the article could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Although Marsh may provide advice and recommendations, all decisions regarding the measures should be adopted are the ultimate responsibility of the client.