One of the rights given to individuals under the GDPR, is that of data portability. But when does it apply and what exactly does it entail?
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format but only comes into play in certain situations.
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. This means that individuals can move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability and allows individuals to take advantage of applications and services that can use this data to find them a better deal or help them understand their spending habits.
The right only applies to personal data that an individual has provided to a controller. For these purposes, “provided to” includes not only obvious situations such as when an individual gives you’re their email address but also includes where a controller obtains personal data resulting from the observation of an individual’s activities, such as where they are using a device or service. Such personal data may include the history of website usage or search activities, traffic and location data or raw data processed by connected objects such as smart meters and wearable devices. It does not however include any additional data created by a controller based on the data an individual has provided. (Note however that although such “inferred” or “derived” data falls out-with the scope of data portability, if it is personal data, it may still need to be provided if there was ever a subject access request.)
There are already some organisations in the UK who offer data portability through Midata and similar initiatives. These initiatives allow individuals to view, access and use their personal consumption and transaction data in a way that is portable and safe.
How should an individual make a request?
There is no set format and the request can be made verbally or in writing and can be made to any part of the organisation i.e. it does not have to be made to the Data Protection Officer. The request does not have to mention the words “data portability” or “Article 20 of the GDPR”. This means that all staff should be aware of what the right involves so that they can recognise a request when it comes in and training will be required. Good practice would be for organisations to record details of all requests and organisations should establish clear procedures for all staff to follow when a request is received.
All requests must be acted upon without undue delay and always within one month of receipt (which can be extended by two months only in particularly complex or if you have received a number of requests from an individual) so staff should also be made aware of these timelines and always act promptly.
What does data portability allow an individual to receive?
This right enables an individual to:
Controllers must provide data in a structured, commonly used and machine-readable format. These terms are not defined in the GDPR but are helpful when deciding what format to use for the transfer. The ICO recommend finding relevant information in the “Open Data Handbook” published by Open Knowledge International which provides guidance relevant to the right to data portability and also provide some guidance on their own website as to what are acceptable formats for the purposes of data portability.
Can a controller ever refuse to comply with a request for data portability?
As with many of the data subject rights, a controller can refuse to comply with a request for data portability if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature. If the controller does indeed consider that the request is manifestly unfounded or excessive, they can request a reasonable fee to deal with the it (based on the administrative costs of complying with the request) or refuse to deal with it, as long as they are able to justify their decision in each case. If a controller refuses to comply, they must inform the individual without undue delay and within one month of receipt of the request and should inform the individual of: