Introduction
The EU Data Act is now rolling out across Europe, with the main rules coming into play from the 12th September 2025. In short, it makes it easier for people and businesses to access the data created by their connected products (cars, smart-home devices, wearables, sensors) and to ask that data to be shared with trusted third parties, like their insurer.
One important reminder: the Data Act doesn’t replace GDPR. If the data is personal, GDPR still governs how you use it.
Why this matters for insurers
Real-time insights help identify patterns, detect fraud, and highlight process improvements – creating a cycle of continuous optimisation.
Cleaner evidence, faster decisions. With a policyholder’s instruction, you can receive device data (e.g., crash telemetry, leak alerts, entry logs) to validate claims and spot anomalies—useful for SIU and counter-fraud, provided you stick to the agreed purpose and GDPR. Digital Strategy
Tight usage rules. Third parties that receive data under a user request must use it only for the stated purpose; broader profiling is restricted unless necessary to deliver that service. WilmerHale
Not every dataset is accessible. Some obligations don’t apply when the product/service comes from a micro or small enterprise, so access can be limited in edge cases. EU Data Act
Cloud exit gets easier. If your fraud analytics runs in the cloud, switching providers must get simpler, and most switching/egress fees are banned from 12 January 2027 (phased in before then). Plan your exit routes now. Latham & Watkins
What to do now
- Add a “share my device data” step to claims and fraud workflows so customers can easily authorise data sharing from device makers.
- Template your requests. Keep a handy list of common device brands (cars, wearables, smart-home) and exactly what details claims handlers need to ask for.
- Be crystal clear on purpose. Document why you’re using the data, and limit access to the specific case. Separate or delete it afterwards in line with retention rules.
- Log your GDPR basis. Record the lawful basis for each data flow (consent, contract, legitimate interests) and keep an audit trail.
- Review cloud contracts. Check your analytics/fraud vendors for easy switching, transparent formats, and plans for the upcoming ban on most switching/egress charges.
- Train your teams. Make sure handlers and SIU understand the do’s and don’ts, especially no repurposing and no unnecessary profiling.
Key dates
- 11 Jan 2024 Regulation enters into force.
- 12 Sep 2025 Main rules apply (including user access/sharing).
How kbs intelligence can help
We build fraud and claims data pipelines that use data only for the task at hand, comply with GDPR, and are easy to move between cloud providers. Get in touch to learn more.
