What is Data Portability?
Data Portability describes the right for individuals, in certain circumstances, to ask an organisation holding their personal data, to transfer their personal data to another data controller (where technically feasible), or to provide it back to them.
In order for the right to apply in the first place, certain criteria must be satisfied. In particular –
- the organisation holding their personal data must hold it as data controller and must be processing it using automated means;
- the individual must have provided their personal data to the organisation; and
- the organisation must be processing the personal data either based on the individual’s consent or because it is necessary as part of the performance of a contract entered into with the individual.
Where the right applies and an individual makes a request to exercise it, the organisation must comply without undue delay, and in any event within one month of a request being made. The only exception to this timescale is where the number of requests and/or the complexity of those requests make it reasonable to apply a two-month extension to that period.
GDPR also requires that where the right applies, any data requested should be provided in a “commonly used and machine readable format”.
Breaking this down a little further, it seems to me that, in order to be able to comply with these requests, some of the key elements that organisations might need to consider are as follows:
- Can they identify the personal data they hold about individuals and, in particular, where such personal data is being processed by automated means based on consent or as part of the performance of a contract with the individual?
- Could they extract that information from other information held and remove any third party personal data?
- Could they collate that personal data and package it into a format that would be useful for the subject and/or the new controller?
- Even if they are a data processor processing personal data on behalf of a data controller (and are not caught by the data portability right itself), do they have “appropriate technical and organisational measures” in place to assist the data controller in responding to these requests?
- Do they have processes and procedures in place to ensure that personal data is kept secure at all times during this process including during transit to the new data controller or individual?
Wider customer benefits
The benefits that this ability to have personal data ported from one organisation to another are evident and this concept of opening data up is already beginning to happen in some sectors – be that as a result of new regulation, new technologies, or a combination of the two.
For example, as part of the UK Government’s Midata initiative utility companies have, for some time, been encouraged to provide people with their usage data in a CSV format and the roll out of Smart Meters that is expected to take place in the next few years should fully automate this process. This should help facilitate the comparison between tariffs based upon actual usage and could help promote the creation of personalised tariffs.
In Banking, the Open Banking standards being pushed through by the Competition and Markets Authority will soon enable consumers to compare bank products in the same way as energy tariffs and to eventually move their transaction data from one bank to another or indeed to other service providers.
One other potential benefit for UK bank customers could be a new range of Apps and services driven by wider access to our own usage data. For example, a number of services in North America (such as Mint) already enable consumers to bring all of their spending data into one place for budget planning, tax returns and so on – to the extent where tax returns are now almost automatic.
These are just a couple of examples – you could take virtually any sector and think of reasons why being able to move personal data easily from one provider to another could create consumer benefits.
A Data Portability strategy
GDPR seeks to give individuals more control over their personal data.
Further guidance is expected around how some of the new concepts introduced by GDPR will apply in practice. However, before GDPR takes effect and the requests start coming in, organisations of all kinds would be wise to consider the right to portability and what it means for their business, assess their ability to comply with such a request and to identify the value in being able to find, collate and securely supply personal data to an individual or a new controller in accordance with this new requirement.
Application of this right will create challenges and organisations should start now to consider what people, processes and tools they need in order to enable them to navigate through them.
Some questions that may be useful to consider at this stage are whether or not your colleagues are aware of the right to data portability and what it means. Do they understand that, on receipt of a request, the organisation will have one month to comply? Do you have a process in place within your organisation to validate the identity of an individual making a request of this kind? Can you be certain that all of the personal data relating to any particular individual can be easily located and collated? What format should the personal data be presented in? Which elements of data should not be made available? In relation to which data does the right apply in the first instance? Does the right to data portability present a commercial opportunity to create new propositions?
How Experian can help
Our data management solution, Experian Pandora, could help support organisations in dealing with data portability activity by helping organisations to quickly locate and verify personal data relating to an individual and to package it in a way that may meet portability standards for your industry. You can read more about Experian Pandora’s key features and book a demo on our dedicated web pages.
Please note that while we can support businesses with their preparations for the GDPR, we cannot offer legal counsel or compliance advice.