← Back to all briefings
Data Strategy 6 min read Published Updated Credibility 40/100

Data Strategy Briefing — November 9, 2023

The European Parliament’s adoption of the Data Act demands governance structures for data sharing, implementation timelines, and DSAR-compatible transparency covering IoT access, cloud switching, and public sector requests.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On the European Parliament formally adopted the Data Act, approving the provisional agreement reached with the Council of the European Union. The regulation establishes harmonized rules for accessing and using data generated by connected products and related services, facilitates switching between cloud and edge providers, regulates international data transfers, and empowers public bodies to access data in exceptional circumstances. Controllers and manufacturers must build governance frameworks, implementation roadmaps, and DSAR-aligned transparency to manage obligations that will apply 20 months after entry into force (expected in 2025) with phased timelines for product design and contractual updates.

Governance structures for data sharing

The Data Act requires manufacturers and service providers to design products that make data easily accessible to users—whether individual consumers or business customers—and to provide that data to third parties at the user’s request. Boards should oversee the establishment of data-sharing governance committees comprising legal, privacy, product engineering, security, and DSAR leads. Governance policies must define roles for fulfilling user access requests, verifying third-party recipients, and safeguarding trade secrets. Organizations should align the Data Act with existing GDPR governance structures, ensuring that data access under the Data Act complements data subject rights without creating conflicting processes.

Contracts with business users must be updated to avoid unfair terms, particularly those that limit liability or restrict data portability. Governance frameworks should include mechanisms for reviewing and approving contract templates, verifying that clauses comply with the Data Act’s fairness principles and that DSAR teams can coordinate responses when users invoke both GDPR and Data Act rights.

Implementation roadmap

Companies should plan for a staged implementation:

  1. Gap analysis (0–120 days): Identify connected products and services in scope, map data types generated (including personal and non-personal data), and evaluate existing access mechanisms. Assess DSAR processes to determine how they will integrate with Data Act requests. Document data storage locations, cloud providers, and cross-border transfers.
  2. Design and build (120–360 days): Develop technical solutions for data access—APIs, dashboards, downloadable files—that provide real-time or near real-time data to users. Implement authentication, authorization, and logging controls to verify users and third-party recipients. Create governance rules for handling trade secrets and intellectual property, ensuring responses balance transparency with protection of confidential information. Update DSAR portals to explain Data Act rights and provide combined intake options.
  3. Contractual updates (360–540 days): Revise terms of service, data-sharing agreements, and service-level agreements to comply with the Data Act’s fairness requirements. For cloud and edge services, implement contractual commitments to enable switching within 30 days, provide transitional assistance, and limit exit fees. Ensure contracts specify DSAR responsibilities, incident notification, and international transfer safeguards.
  4. Operational readiness (540 days onward): Launch training, customer communications, and testing. Perform dry runs of user requests, third-party access, and public sector data sharing scenarios. Monitor guidance from the European Commission on interoperability, smart contracts, and dispute resolution mechanisms.

DSAR integration and transparency

The Data Act complements but does not replace GDPR rights. Controllers must coordinate DSAR responses with Data Act requests to prevent duplication or conflicting information. DSAR systems should capture whether a requester is exercising GDPR access rights, Data Act user rights, or both. Responses should specify data categories, formats, and transmission methods. When sharing data with third parties nominated by the user, controllers must verify consent and document legal bases, ensuring confidentiality and security.

For personal data, GDPR timelines (one month) still apply, while the Data Act requires provision without undue delay. DSAR teams should set service-level agreements that meet the strictest timeline. Maintain logs of disclosures, recipient identities, and security measures. When users request deletion or restriction under GDPR, ensure Data Act data-sharing processes honor those directives and propagate changes to third parties.

Controllers must provide information about how data will be shared, any charges applied (cost-based only), and the safeguards in place. Update privacy notices and customer documentation to describe Data Act rights, DSAR contact points, dispute resolution options, and appeal pathways.

Cloud switching and interoperability

The Data Act obliges cloud and edge providers to enable switching within 30 days, remove unjustified contractual barriers, and support interoperability through standardized interfaces. Providers must gradually phase out switching charges within three years. Governance teams should inventory dependencies, design migration playbooks, and update DSAR processes to reflect where data resides during transitions. Ensure that logs of switching operations are retained, enabling responses to user queries about data location, retention, and deletion.

Interoperability requirements will be further defined through implementing acts. Participate in standardization efforts (e.g., European Telecommunications Standards Institute, International Organization for Standardization) and prepare for certification schemes. Align interoperability projects with DSAR obligations by ensuring that metadata, data dictionaries, and schema documentation are available for rights requests.

Public sector data requests and exceptional need

The Data Act allows public bodies to request data in cases of exceptional need—such as responding to public emergencies or fulfilling legal obligations. Organizations must establish procedures to evaluate requests, verify legal grounds, and ensure proportionality. Maintain registers documenting request details, data provided, retention periods, and DSAR implications. Notify users when legally possible and provide transparency reports summarizing public sector requests.

When responding to public body requests involving personal data, apply GDPR safeguards, including data minimization, secure transmission, and accountability. Document how DSAR processes handle questions from individuals seeking information about public sector disclosures, noting any legal restrictions on disclosure.

International data transfers and safeguards

The Data Act requires providers to prevent unlawful international data transfers, particularly when foreign governments seek access to EU data. Implement technical and legal measures—encryption, access controls, contractual clauses—that ensure compliance with EU data transfer rules. Maintain inventories of third-country access requests and integrate them with DSAR workflows to provide transparency to users while respecting national security exceptions.

Metrics, assurance, and dispute resolution

Track metrics such as volume of Data Act requests, average fulfillment time, number of third-party recipients onboarded, DSAR response times, and incidents involving unauthorized disclosures. Establish internal audit programs to test controls, simulate public sector requests, and review contractual compliance. Prepare for alternative dispute resolution or mediation mechanisms that the Commission may establish, documenting case outcomes and improvements.

Training and stakeholder engagement

Develop training for product managers, engineers, customer support, and DSAR teams covering Data Act obligations, data sharing security, and communication protocols. Provide guidance to sales and procurement teams on contractual requirements. Engage with industry associations, the Data Innovation Board, and national competent authorities to stay informed about implementation guidance.

Next steps

Within six months, conduct a comprehensive gap assessment, brief executive leadership, and allocate budget for technical and contractual updates. Within 12 months, deploy new data access mechanisms, refresh DSAR systems, and update customer documentation. Before the regulation applies in 2025, finalize interoperability projects, cloud switching capabilities, and public sector request playbooks. Integrating governance, disciplined implementation, and DSAR transparency will enable organizations to comply with the Data Act while unlocking trustworthy data sharing.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • EU regulation
  • Data governance
  • Data portability
Back to curated briefings