Skip to main content
Marsh logo

Article

The Data Act

Explore the EU Data Act, promoting fair data access and user rights. Learn how organizations can adapt to enhance data strategies and compliance.

07/01/2025 · 2 minute read

The Data Act is a regulation that addresses data challenges and opportunities in the EU by promoting fair access and user rights while protecting personal data.

With the Data Act, the EU aims to give users of connected products (businesses or individuals that own, lease or rent such a product) greater control over the data they generate, while maintaining incentives for those who invest in data technologies. In addition, it lays down general conditions for situations where a business has a legal obligation to share data with another business.

The Act includes measures that enable users of connected devices to access and share data generated by them, which is typically controlled by manufacturers, thereby fostering innovative aftermarket services while incentivising manufacturers to invest in high-quality data generation. The EU aims to rebalance negotiation power for small and midsize enterprises by preventing issues in data-sharing contracts and providing model contractual terms to help them negotiate. The Act also facilitates public sector access to private sector data during exceptional circumstances, such as emergencies, to ensure rapid and secure responses with minimal business disruption. Additionally, it introduces rules for customers to easily switch between cloud data-processing service providers and establishes safeguards against unlawful data transfers. Lastly, the Data Act reviews aspects of the Database Directive, clarifying that databases containing data from internet-of-things (IoT) devices should not receive separate legal protection, ensuring their accessibility and usability.

How should organisations respond to the Data Act?

Organisations need to assess the impact of the proposed DA on their business and business model, identifying where changes are needed. The data available from IoT objects used by organisations could offer insights on efficiencies that help improve operations and create financial gains.

Trusted advisers can help organisations understand how this act can be applied within their existing framework by:

  1. Helping companies establish an effective data strategy to include how data is named, stored, processed, and shared. A complete data strategy assists the organisation in using data to generate value while enabling data quality, data security, compliance, and accessibility.
  2. Assisting in mapping the flow of data within the organisation's systems and processes. Creating a data inventory to identify the types of data being collected, stored, and processed, as well as the legal basis for processing.
  3. Guiding organisations in conducting assessments of the impact of data protection on high-risk data processing activities. Helping identify and mitigate potential privacy risks associated with specific projects or processes.
  4. Defining the technical and non-technical minimum requirements to promote DA compliance (data sharing conditions and compensations, balanced data contracts, collaboration with public administration, and so forth). If you are a data space operator and/or a data processing service provider, a set of essential requirements regarding interoperability should be defined as well.
  5. Advising on the implementation of vendor management processes to ensure that third-party service providers comply with DA requirements. This includes drafting balanced data-sharing agreements.

A comprehensive plan that covers all the regulations covered by the EU’s digital strategy can create opportunities as well as mitigate risk.

To learn more contact a Marsh representative.

Contact us

The article is for information purposes only. Marsh makes no representation or warranty as to its accuracy. Marsh shall have no obligation to update the article and shall have no liability to any party arising out of this document or any matter contained herein. Any statements concerning actuarial, tax, accounting, labour, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting, labour, or legal advice, for which clients should consult their own professional advisers. Any analysis and information are subject to inherent uncertainty, and the article could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Although Marsh may provide advice and recommendations, all decisions regarding the measures should be adopted are the ultimate responsibility of the client.