Now the GDPR is in effect, companies face the prospect of giving individuals back their data should they ask for it.
What is Data Portability?
Article 20 of the GDPR introduces a right of data portability and its general purpose is to give rights to individuals to:
- obtain and reuse their personal data for their own purposes
- allows the movement/transferring of personal data from one system to another safely and securely.
This gives individuals much more control over their own personal data. All of their data must be provided upon requests in a common machine-readable format that the user can then inspect themselves or give to any 3rd party without having to use any further processing or additional software.
An example of this is if you have a software application which stores the personal data of individuals in a customer database based on their purchases and account activities.
To be compliant, you must be able to transfer this data into a commonly readable format, like an Excel or a Comma-Separated (CSV) file, should an individual request a copy of all data pertaining to them. There are a few solutions if you cannot currently readily send the data in a common format such as updating the software to a version which supports Excel conversions if possible or finding new software which supports a common GDPR compliant export format. Most software vendors are aware of their customers obligations under the GDPR and have updated their applications to suit. Also, many competent IT support companies will be able to provide you with utilities to extract an individual’s data from the underlying database, unless it is encrypted.
Benefits of Data Portability
Data Portability may actually be a positive for both processors and individuals alike. There’s currently a concept in place called ‘Midata’ which is used to share/export certain data from one organisation to another. For example, uploading energy usage data from your provider to a comparison website in order to save money.
The right to data portability does not affect any other rights associated with GDPR. If a request is made the individual can still continue to benefit from the data processor’s services, though the expectation is that an individual may request their data in order to facilitate transitioning to a new provider. This right can be taken at any time as long as the data controller is still processing and in possession of the data.
Grounds for refusal
You can refuse to reply to requests for Data Portability if you consider that a request is manifestly unfounded (you have no data for the individual or no meaningful data worth providing beyond e.g. their email address) or excessive (they are making numerous spurious requests) then you can:
- request a "reasonable fee" to deal with the administrative costs of the request; or
- refuse to deal with the request.
In either case you will need to justify your decision.
You can also refuse a request if there is no personally identifiable data, e.g. if it has been aggregated for reporting or compliance purposes, or if providing the individual with data could inadvertently compromise some else’s personal data or privacy.
Along with personal data pertaining to the individual, any other data provided to the data controller by this individual also falls under the scope of a data request and is within the scope of data portability. This includes data that may have been filled out in a form and submitted to an organisation or provided in the course of dealing with the data processors staff or systems.
Much like many other requests that come through GDPR – the processor must deal with the request within one month of receiving it – although this can be extended to 3 months if it is a complex request and the requesting party is informed of the delay. Most data processors with well maintained and supported systems should have nothing to worry about from the concept of Data Portability, and there are some limited safeguards in place to ensure that it isn't abused. Freedom of movement of data can only benefit everyone in the long run - and it is common sense to be wary of organisations that want to lock you, and your data, in.