GDPR Top Ten: #1 Data Portability
Legal obstacle or opportunity?
Data portability creates a new right for individuals to have more control over their own data. This new right could lead to considerable costs for organizations, but it also provides a strategic opportunity if implemented in the right manner.
8 May 2017
Introduction: GDPR obligation difficulties
According to the IAPP Annual Privacy Governance Report 2016 data controllers consider three aspects of the GDPR most challenging to implement in their organization: the right to be forgotten, data portability and gathering explicit consent. In this blog we will elaborate on why the implementation of the GDPR and the right of data portability deserves your attention and why this represents a risk but also a strategic opportunity for your organization.
What is data portability?
“Data Portability” is 1) the ability and capacity to export data collected or stored digitally concerning a data subject AND 2) the ability to receive data concerning the data subject and to allow another controller to receive portable data. The Data Portability requirement entails both a technical design requirement and a data subject rights requirement. From a technical perspective, data controllers will need to ensure their systems, connected products, applications and devices that collect and store information on data subject also have the added functionality of porting and transmitting data. In some cases, this will require controllers to tweak or redesign some systems, products, applications and devices. Furthermore, the new porting functionality must export data in a structured, commonly used and machine-readable format so that reuse of the data is possible.
From a data subject’s right perspective, the right to data portability creates a new right for individuals to exercise more control over their own data. It enables individuals to receive personal data concerning him or her, which he or she has provided to a controller. Thus, data controllers will need to establish and implement processes, in addition to added systems and digital propositions/products functionality, that aid in processing data subject requests whether in manually or in automated fashion. After receiving the data the individual must be able to transmit this data to another controller without creating additional burden or hindrance to the previous data controller. The right to port data also entails that where technically feasible, the personal data will be transmitted directly from one controller to another. Please be aware that the right to request a copy in a machine readable format is only possible if the data concerned was i) provided by the individual to the controller; ii) processed by automated means, and iii) processed based on consent or fulfilment of a contract.
Linked to other rights
Data portability is part of a larger spectrum of data subject rights: access to and rectification or erasure of personal data, the right to object to decisions based on automated means, as well as notifying data subjects of a personal data breach. Again, data controllers will need to implement supporting processes to be able to comply with these requests. For a data controller the process to carry out a request to port data could imply that you must facilitate different actions that are similar to the execution of other data subject rights. First, you may have to give the individual access to the personal information so that he knows what personal data is being processed. Second, you could have to rectify inaccuracies if the individual requests so; and third you might have to erase all the personal data (compliant with established retention schedules and legal contracts) if the individual asks to transfer his data to another service provider. Therefore three other data subject rights could be impacted when processing a data portability related request. Note however that the right of access, rectification and erasure are not similar to the right to data portability, it merely could imply that the data controller uses the same processes for these rights as it would need to facilitate the right to data portability.
In practice this means that you have to have the ability to provide your client or customer with a copy of all the personal data that you have regarding him or her; and the ability to transfer the data to another data controller or service provider. The data that you have regarding a costumer or client is interpreted as all the data that the individual has provided actively and knowingly. This includes information the individual has provided to you by using the service or device (for example, location data or heartbeat from a fitness tracker). This could therefore be a large collection of data. Furthermore the data must be provided in a way that facilitates reuse. For example, email must be provided in a format which preserves all the meta-data to allow effective reuse. Providing emails in pdf format would not suffice, because this is insufficiently structured for reuse. To comply with a request for data portability could be time consuming and lead to considerable costs for many organizations that have not already adopted a privacy by design approach to the design and build of their systems and digital products and propositions.
The reason why this right is expected to have a large impact on your business, is that it alters the relationship between individuals and data controllers. Individuals are enabled to manage their data across different platforms, via for example a direct download tool or application. Eventually the platform that the individual prefers shall receive all the personal data. If you are not the preferred platform you might be obligated to transfer your data to a competitor and potentially be requested to erase the (valuable) data you have collected over the years. This leads to more competition between data controllers and should be taken into account when determining your business strategy.
Make it an advantage
i) Try to be efficient. Controllers must be able to comply with the request without undue delay and in any case within one month of receipt of the request. If you implement a process to port data, you should implement a procedure to process other individuals’ requests in accordance with law and provide extra services, for example by guaranteeing more data security.
ii) Aim for the competitive advantage. Think about developing a user-friendly tool or interface that involves the individual and gives them more transparency, insight and control over their own data than other competitors.
This right gives customers the ability to switch service providers more easily, make sure they transfer their personal data to your organization and not your competitor’s.
Introduction to Deloitte article series on GDPR
A recap of our Top Ten Series and a glimpse of what is yet to come