DSIT Publishes Consultation On Empowering Individuals Through Data Intermediaries

On June 8, 2026, the UK Department for Science, Innovation and Technology (DSIT) published a consultation entitled “Empowering people through data intermediaries” (the Consultation).

Data intermediaries help people to access, manage and share their data. The Consultation focuses on personal data intermediaries that enable individuals to exercise their UK GDPR data subject rights, particularly the right of data portability. It seeks views on how to remove barriers facing data intermediaries and how to support the development of a trusted data intermediaries market in the UK. 

Three inter-related barriers constraining intermediaries were identified in a UK government call for evidence in 2025:

• Legal ambiguity: lack of clarity on the role of data intermediaries and whether they can exercise UK GDPR data subject rights on behalf of an individual. The Consultation suggests that legal ambiguity creates uncertainty for both data intermediaries and controllers. 
• Controller uncertainty: delays and friction can arise when intermediaries look to exercise data subject rights for individuals. The Consultation states that controllers flag concerns regarding risk, unclear obligations, or a lack of standardised processes to respond to intermediaries.
• Lack of awareness: public awareness of data intermediaries and the services they provide is limited which impacts trust and uptake. 

The government is considering how to remove these barriers. In doing so, it notes the approach that other countries have taken to establish trust in services that handle or transfer data. It also recognises a number of risks associated with the use of data intermediaries (e.g. coercive delegation of rights, data concentration encouraging malicious actors and attacks, increased costs and demands to respond to more data subject rights requests, market concentration).

The Consultation sets out a range of potential legislative and non-legislative options to remove the three barriers for data intermediaries. Legislative proposals include:

• Amending the UK GDPR to clarify that data subject rights may be delegated to third parties and exercised by a data intermediary on behalf of an individual.
• Aligning with international frameworks to support international data flows and reduce friction. The Consultation explores the EU Data Governance Act approach of regulating intermediaries through notification, registration and certification (without imposing requirements on controllers regarding their response). The Consultation acknowledges that the EU Digital Omnibus proposals are likely to change the EU regime. Further work will be required to ensure alignment.
• Establishing an authorisation framework for data intermediaries. The Consultation explores different design approaches from light touch notification to more complex licensing models for intermediaries. Expectations would also be set for controllers on how they should respond to intermediary requests.
• Targeting a subset of organisations (those that have strategic market status) and requiring them to provide a portability application programming interface (API). 

Non-legislative options include developing Information Commissioner’s Office (ICO) guidance, codes of practice, or non-statutory authorisation schemes to support responsible operation and improve confidence among users and controllers. 

DSIT notes that these options are intended to be complementary and could be taken forward individually or in combination. 

The Consultation page is available here, and the full Consultation document here.

The public consultation is open until August 31, 2026, and responses may be submitted here.