The General Data Protection Regulation (GDPR) helps to rebalance the relationship between businesses and individuals in relation to their personal data. If nothing else, the new regulation is intended to help restore ownership of personal data to the citizen.
And this where Article 20 comes into play. As well as giving data subjects the right to know what personal information your business holds, Article 15 also mentions their right to request a copy of that information. But Article 20 helps to clarify the specifics of that data export.
Introducing the right to data portability
Article 20 specifies:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.
In simple terms this means that any individual can request a copy of their personal data – and you must fulfil that request. You should also note that under the GDPR, personal data also includes information that has been generated by their activity using your service.
The export must be supplied in a “machine readable format”, such as CSV, XLS, SQL, JSON or XML; any of the common database formats that can be used for re-import into another system. If your industry has a standard data format, this should be used instead.
The idea behind data portability is that individuals can take their information and submit it to another competing service. This gives the data subject greater control over their information and allows them to switch service provider whenever they choose to get a better deal, or to take advantage of features that you do not offer.
In this way, the GDPR could be a useful tool for increasing competition in some industries. Consumers regain control of their personal data and enjoy increased choice of service providers too.
A new headache for data controllers
Paragraph 2 of Article 20 should give any data controller – including you – pause for thought:
In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
So your responsibilities go beyond simply providing customers with a copy of their data. You are expected to try and carry out the transfer to the new service as well.
What might this look like? Say a user uploads their digital address book to their Google Apps account. Later they decide to move across to Microsoft Office 365, so they make a data access request to Google. Under GDPR Google is expected to not only provide the customer with a copy of their address book, but to perform the data transfer to Microsoft on their behalf.
This is a relatively simple scenario, but repeated thousands of times each day, the overheads could be considerable.
Don’t overstep your responsibilities
Article 15 gives data subjects the right to know what information you hold, and to request a copy of that information. And Article 20 says that the information must be exported in a machine-readable format.
Importantly, this requirement only extends to the information that the subject supplied themselves. You do not have to supply portable copies of data you have created based on the information they supplied to you – like a profile created from their user data.
Genuinely anonymous data is also exempt from data portability requests. Hardly a surprise given that you don’t know who the anonymous records actually belong to. If you retain some kind of personal identifier alongside “anonymous” records, then you will need to pass that information along.
When do we not have to supply information?
Subsection A of Paragraph 1 of Article 20 specifies the conditions under which information should be supplied to the data subject:
[When] the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1)
If the data has been shared under contract or consent, it is covered by the data portability requirement.
Subsection B specifies:
[When] the processing is carried out by automated means.
By extension of logic, if personal data is processed manually, it is exempt from the data portability requirement.
Say one of your account managers jots down some notes in their desk diary during a call with a customer. That information has been created manually and will only be read (processed) by the account manager to assist with future campaign planning. Manual processing means those notes – and virtually any data that exists purely in paper format – are exempt from the data portability requirement.
You will still have to give this information to a data subject if they ask for it – but there is no obligation to provide it in a machine-readable format, or to automate transfer to another service provider.
It is also worth remembering the GDPR concept of “legitimate interests”. Personalising your website based on user interests can be considered as a legitimate use of personal data – and you could argue that there is no need to include those details in any subject data access request report.
Streamline the data export process
As the number of data subject access requests increases, your business will need to streamline the fulfilment process. Ideally you want to automate as much of the system as you can too.
The European Union Data Protection Working Party formulated a number of guidelines to help businesses better understand their obligations regarding the right to data portability. In their recommendations they suggested several ways that businesses could improve compliance and overall user experience.
In their report they recommend:
- Using Application Programming Interfaces (APIs) and download tools to satisfy portability requests. A download tool would allow individuals to initiate a data export themselves. An API would assist with the automated transfer or personal data between services.
- A user-defined export routine. It is unlikely that customers will want all of their personal data with each request. Instead they should be provided with a self-service tool that allows them to select only the data sets they are interested in.
- Defining machine readable formats. The exported data must be machine-readable, ready to be imported into another system or service. PDF files are machine readable, but they could constitute an unnecessary barrier to portability.
And don’t forget – the export and transfer process needs to be secured against loss, theft or interception.
It is highly unlikely that your business already has these mechanisms in place. But as GDPR beds in, you will need to look at how you can better fulfil data portability requests from your customers. The Working Party recommendations are an excellent start – but you will need to begin work sooner rather than later.
The list of things you must do to achieve GDPR compliance is extensive, complicated, time-consuming – and completely unavoidable. To learn more about preparing for – and fulfilling – data portability requests from your clients, please get in touch.