Data portability – A utopian GDPR requirement?
One significant but less discussed aspect of the GDPR is data portability. It is a very complicated matter that CIOs, CISOs, IT managers, data architects, and other personal data controllers must research thoroughly.
Data portability is introduced in article 20 of the GDPR. It defines the new right for data subjects to port data about themselves. It is related to the rights to have access to personal data and to be forgotten, but in many ways it is a very different thing.
The purpose of the right to data portability is to support user choice, user control, and consumer empowerment. This the exact wording of the Article 20:
“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”
Of course, you do already store personal data in a structured and machine-readable format, don’t you? Well, even though you may be able to say yes, you are most probably just speaking about your own ICT environment.
Responsibilities of data controllers
The wording of the GDPR is demanding, but it also seems to leave room for interpretations:
“The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.”
It would be tempting to just refer to the last three words, and say: “Sorry, we could not do it, because it simply wasn’t feasible”. But that won’t make you compliant. How can GDPR compliancy be achieved in regard to article 20?
The European Commission has published a guidelines document, which urges development of means that will contribute to answering data portability requests. It uses the term “data controllers” as a general reference to organisations that handle and store personal data.
For the data controllers, data portability may seem like a utopian project causing a major headache and huge costs. So far, everyone has handled and stored data internally based on their own business needs.
The guidelines document and its separate FAQ clarify the responsibilities of data controllers. They state that data must be easily transferable from one IT environment to another.
Urgent need of APIs and standards
Basically, data should be made universally interoperable. It is up to data controllers to guarantee that they can provide individuals with data for personal purposes or for transfer to another controller.
The GDPR does not demand storing data in a fully universal format. No-one is being forced to create and maintain compatible ICT systems overnight either.
One solution to achieve data portability is to step on a higher level: The guidelines suggest using Application Programming Interfaces (APIs) that enable portability by interacting with any software to process requests submitted by or on behalf of data subjects. This means such APIs should be urgently crafted, bearing in mind that APIs involve security risks. Portability must not compromise shared data due to bad security measures.
Thankfully, you don’t have to invent everything by yourself. The guidelines recommend that industry stakeholders and trade associations work together to draft commonly shared standards on data portability. However, as long as no such currently exist, organizations can’t remain in waiting mode.
Restrictions and benefits
Luckily, there are important restrictions in the right to port data. First, the right is limited to data provided by the data subject, “knowingly and actively”. Second, the data must be processed by automated means, which excludes manually processed data.
The guidelines also discuss the possibilities to limit the scope of data to be exported or imported. Data subjects could be given freedom to choose which data fields they wish to be included and which should be ignored. Another option is to use APIs that minimise unnecessary fields automatically. It is even part of data privacy that excessive data be skipped in eventual transfers.
Fulfilling the right of data portability will be a big part of GDPR projects across organisations. It will consume resources, but as my colleague Maria Nordgren has pointed out, it will also be beneficial for the customer experience. Also, when data is made portable, businesses can expect others to do the same. It will also make your ICT environment more agile and future-proof.
At Tieto Security, we are ready to help you on your journey to GDPR compliancy – including the requirement of data portability.