The EU’s Data Act comes into force today, 12 September 2025. It introduces a new framework for data access, use, and sharing, with the goal of fostering a more competitive and innovative data economy across the EU. This legislation complements the existing data protection framework, particularly the GDPR, by addressing the growing volume of data generated by connected products and digital services. 

For organisations, the Act marks a significant shift in how data must be governed, accessed, and shared. In this blog, we highlight the core provisions of the Act, the opportunities and challenges it brings, and what it means for privacy teams and organisations operating under EU data law. 

What organisations need to know 

The Data Act introduces a number of provisions designed to make industrial and IoT-generated data more accessible and usable. Key changes include: 

  • Users of connected products, ranging from smart devices to industrial machinery, will have greater rights over the data they generate. Businesses must ensure that such data is accessible to users in a usable format, and users will be able to share this data with third parties of their choice. 

  • The Act creates safeguards to ensure fairer contractual terms between businesses when sharing data. This includes granting both individuals and companies the right to access and share data with competing service providers. 

  • Public sector bodies will be able to request access to private sector data in cases of exceptional need, such as natural disasters or health emergencies. Organisations will need to establish clear internal processes to assess, respond to, and document such requests. 

  • The Act includes measures to reduce vendor lock-in in the European cloud services market. Customers must be able to switch providers more easily, while safeguards are introduced to protect non-personal data from unlawful access by third-country authorities. 

Implications for DPOs and privacy teams 

While the Data Act primarily targets non-personal and industrial data, its interplay with GDPR creates a complex compliance landscape. For Data Protection Officers (DPOs) and privacy teams, several priorities emerge: 

  • Since the Act extends obligations to non-personal data, organisations must expand their governance structures to manage the full spectrum of data, personal and non-personal,ensuring secure access, sharing, and retention practices. 

  • The Data Act does not override the GDPR. Where personal data is involved, DPOs must continue to verify that sharing occurs on a lawful basis, with appropriate safeguards in place. This requires cross-functional coordination to avoid inadvertent non-compliance. 

  • Legal and privacy teams should jointly review all data-sharing agreements to ensure compliance with the new requirements. The European Commission is expected to issue Model Contractual Terms, which will help establish consistency and provide organisations with useful templates. 

  • The Act expands on the GDPR’s right to data portability by introducing a broader right to share data. DPOs, privacy and technical teams should prepare to handle increased requests for data access and sharing, ensuring the data can be provided in a secure and machine-readable format. 

  • With new obligations around switching between cloud providers, organisations must revisit IT procurement and vendor management processes. Privacy teams should work with technical colleagues to ensure portability, interoperability, and contractual flexibility. 

Beyond compliance, the EU Data Act is poised tobe a catalyst for reshaping how organisations think about data ownership, sharing, and competition. For privacy teams and DPOs, it represents both a challenge and an opportunity - a challenge to adapt existing compliance frameworks beyond personal data, and an opportunity to build trust and transparency with users, partners, and regulators. 

At HewardMills, we help organisations stay ahead of regulatory change. Whether it’s through governance reviews, policy updates, or preparing for cross-border compliance, our team offers practical, tailored support to help you navigate new data regulations with confidence.