Note: This is the tenth post in an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalties, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
GDPR Data Portability
Every day we move another step closer to the date for compliance with the European Union’s (EU) General Data Protection Requirement (GDPR), 25 May 2018. We have covered many topics in this series to assist businesses prepare for GDPR. Today we will cover Data Portability. In discussing Data Portability we will look at how this will impact the citizen or data owner. We will also look at what impact this could have on businesses. As with many of the aspects of GDPR and how it will be enforced there are some vagaries surrounding Data Portability and what businesses will be required to do. Businesses should be aware of the foundation of Data Portability from the outset of GDPR Enforcement and then adjust accordingly based upon time and experience.
What does Data Portability mean for citizens or the owners of the data? Data Portability can be found in GDPR Article 20: Right to data portability. Some of the higher points of this section are:
- The data subject (citizen/data owner) will have the right to request and receive their data
- The data shall be structured in a commonly used, machine readable format
- The data subject has the right to transmit that data to another controller without hindrance from the controller who has the data
In essence consumers will have the ability to request their personal data from businesses/organizations. They will also have the right to transmit that data to a new controller. The data owner can also request data be transmitted from the current controller to a new controller. The rights of data portability are only applicable in certain situations to include: when the data is provided to the controller by an individual, where processing is based upon user consent or contractually obligated, and where data processing is effected by automation. Even though there are restrictions the effect this will have on businesses simply cannot be overlooked.
What will be the major impacts Data Portability rights will have on businesses? Currently businesses control to a large extent what data a consumer can request and how they use it. Businesses gain an advantage due to consumers’ reluctance to switch providers for services as they would have to provide their personal data to another data controller. In the end the business limits the ability for other competitors to obtain new consumers due to their reluctance to switch.
As with most of GDPR there are some uncertainties. For instance will the ease of obtaining the data and having the ability to transfer to a new data controller really help competition compete for and obtain new consumers? Those results remain to be seen. Another gray area is the right of the data owner to request data be transmitted from one controller to another. GDPR is vague stating the data should be transmitted when “technically feasible”. This provides a great amount of leeway for data controllers. Either way businesses must be prepared with a baseline approach to GDPR and be flexible enough to change as necessary once GDPR enforcement begins.