We all know that the General Data Protection Regulation (GDPR) will come into force on 25th May 2018. It introduces a new right namely the right to Data Portability (Article 20).
So what is data portability?
Wikipedia states that “Data portability is a concept to protect users from having their data stored in “silos” or “walled gardens” that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in. Data portability requires common technical standards to facilitate the transfer from one data controller to another, thus promoting interoperability.”
So – is this what the GDPR is referring to?
Well, not entirely. Wikipedia approaches it from a business / process point of view and GDPR approaches it from a customer / data subject’s point of view.
The ICO’s guidelines on Data Portability states that “The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.”
So – as you can see – it’s not exactly the same thing (similar – but not the same!)
Article 20 of GDPR allows for Data Subjects to receive their personal data, which they have provided to a Data Controller, in a structured, commonly used and machine-readable format, and to transmit it to another Data Controller. The aim of this right is to support user choice, user control and consumer empowerment. It will have a big impact on all Data Controllers but particularly data driven organisations such as banks, cloud storage providers, insurance companies and social networking websites. These organisations may find that customers are encouraged to move suppliers, as they will be armed with much more information than they previously had accessed to. This in turn may lead to an increase in competition driving down prices and improving services.
While this is a utopian view, most companies (including yourself) would already be providing a similar service already.
When does the right to data portability apply?
The right to data portability only applies:
- to personal data an individual has provided to a controller
- where the processing is based on the individual’s consent or for the performance of a contract and
- when processing is carried out by automated means.
Is there a cost involved or can you charge for this service?
No – The information must be provided free of charge and within a month’s time (extendable to two months if the request is complex or you receive a number of requests – but you must inform the data subject of the delay). Furthermore, if the individual requests it, you may be required to transmit the data directly to another organisation if this is technically feasible. However, you are not required to adopt or maintain processing systems that are technically compatible with other organisations.
Remember: If the personal data concerns more than one individual, you must consider whether providing the information would prejudice the rights of any other individual.
Can I not comply with a request?
Yes you can BUT tread very carefully. Where you are not taking action in response to a request, you must explain why to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy without undue delay and at the latest within one month.
Here’s where we can help:
Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at firstname.lastname@example.org or visit www.totalelearning.com. You can also contact us on LinkedIn, Facebook or Instagram.