Data Portability

What is Data Portability?

In relation to the GDPR, Data Portability is the fundamental right of the data subject (usually an individual) to move their information from one controller to another controller. This needs to be done in a ‘common format’ and within one month of the request taking place.

Why does Data Portability affect an organisation?

This can be broken down as several key requirements for an organisation. Organisation’s need to be able to:

• Identify all the data that any given subject has given to you, whilst also being able to separate it from other individual’s data.
• Bundle the relevant data into a format that is usable for the subject as well as the new controller.
• Send the data securely to the individual and/or new controller.
• Erase the data (if necessary) once it has been received by the relevant individual.

Alongside these requirements, the individual could also expect transactional data, such as mobile phone spend, bank accounts, utility usage or store loyalty cards.

What should businesses be asking themselves in regards to Data Portability?

There are several questions businesses should be asking themselves ahead of the introduction of Data Portability.

1. How can we process Subject Access Requests (SARs) and Portability and Erasure Requests within the one month timeframe?
2. Are we able to validate the ID of the individual?
3. Can we ensure that all of the data has been found and sent?
4. What format would be the best to present the data in?