What is Data Portability?
In May of 2018 the European Union tightened regulations about customer right to data portability as part of the GDPR (General Data Protection Regulation). But what do these changes mean, and how will they impact business operations?
Data portability is the capability to move data from one platform or service to another. It requires that data be stored in a commonly recognized format, and that it maintains a degree of accessibility. With the introduction of the GDPR, data portability has become more critical to the enterprise.
What is the Right to Data Portability?
The European Union’s General Data Protection Regulations (GDPR) requires data owned by users to be portable, and that electronic businesses and services must provide to it to owners upon request. This is the “right to data portability.”
The right to data portability ensures that, within 30 days of a request, organizations must transfer individuals’ personally identifiable information (PII) in a safe, secure, and re-usable format.
For modern businesses, this means big changes. Gone are the days when a departing customer’s data could simply be deleted or, more likely, archived for long stretches in the hopes users will return. Under GDPR, organizations must have clear rules for promptly extracting, securing, and transferring private data to its original owners.
For example, Netflix accumulates countless personal details about customers who have long used the subscription service. This can include credit card information, favorite shows, viewing tastes, and more. Prior to GDPR, when a customer left Netflix, all that data stayed with the company. Now services like Netflix must provide this detailed information so that customers can use it for another, potentially competing service. Because it facilitates the exchange of personal data between data controllers, under the control of the data subjects, the right to data portability liberates the flow of personal data between companies, and therefore fosters the development of new innovative digital services.
Failure to deliver data portability not only negatively impacts the establishment of trustworthy personalized services with data subjects, but it can come with big costs, including fines totalling up to four percent of global revenues. Indeed, this makes a strong incentive for reaching compliance.
How to Comply with the Right to Data Portability
To stay compliant with GDPR, organizations are tasked with developing plans and procedures for securely transferring owner data in a “structured, commonly used, machine-readable format.” Developing a data portability plan and training internal IT staff on how to remain compliant with requirements will be a mandatory management practice for organizations moving forward. As stated by the regulator, “data controllers should develop the means that will contribute to answer data portability requests, such as download tools and Application Programming Interfaces”.
Once plans are made for extracting portable data, organizations must be trained on the security requirements for delivering it to its destination. This can be one of three endpoints:
- From the organization to the data owner
- From the organization to a trusted third party
- From the organization to a new data controller (host)
Note also that a stipulation of the right to data portability declares the owner’s right to request data even when he or she is not leaving a service. Should a user want a report on information like shows views, hours spent listening, or other details, companies must be able to promptly provide it to remain compliant with this aspect of GDPR.
Right to Portability vs Right to Access
The European Union’s adoption of GDPR standards stress the right to data portability, but also includes a provision for the right to data access. So what’s the difference?
While portability concerns the owners’ right to take their data with them to a new platform or service, Article 15 of the GDPR specifies the right to data access and outlines a new list of privileges to which consumers are entitled during their association with a data holder. Key among these rights of access include the rights to know:
- What personal data is being processed.
- The purpose of the processing of personal data.
- The parties with whom personal data is being shared.
- A method for demanding certain types of data usage cease.
- The storage and archiving methods and schedules for personal data.
From a data subject perspective, the goal is slightly different. The right of access is about transparency, while the right to portability is more about avoiding to be locked in. For example, would you be comfortable using a service like Linkedin, bringing in your list of contacts, or detailed information about your career, if you were not able to leave it wherever and whenever you want?
Right to Portability vs Right of Explanation
With the language in Articles 13-15, the GDPR also specifies the right of explanation. This is a hidden but real area where consumer data is being used to fuel decisions in machine learning models.
Automated processes that mine personally identifiable information and use it in aggregate to trigger business events, either internal to the using organization or in league with third parties, must be thoroughly explained to the data owners so that they realize how platforms are using their information.
What is an Interoperable Format?
The GDPR stipulates new guidelines for how user data is preserved and presented. An “interoperable format” is any standard, commonly used data format that can be seamlessly portable between platforms. Proprietary or little-used data formats that won’t easily integrate with other services are no longer allowed under the GDPR.
Data Portability and the Cloud
Data portability is crucial in the cloud. Before the cloud, most of your personal data was on your hard drive: the only thing that had to care about was to use standard format for storing data, or importing/exporting them. But with the cloud, the data storage layer is not under your control any longer. You not only need to import/export this data in a seamless way, but you have to move data through the cloud. Of course, this standardization principle applies to all kind of data, but in the case of personal data, those data movements must be driven by the data subject, rather than the data controller..
Think tanks and industry trailblazers have long collaborated to bring about benefits of standardization. One great use case is TCP/IP—the protocol upon which the internet agreed to grow. By standardizing data portability, new products can be developed around a universal method for plugging and unplugging user data.
But to reach the Eden of secure data portability, developers and organizations must first meet the storage and security problems the cloud presents. These include but aren’t limited to:
- Security — Portable data presents challenges to organizations on two fronts. First, the incoming data must be thoroughly inspected and validated as safe before it is ingested into a network. Second, businesses must ensure safe delivery of outgoing data packages to counterpart networks. Each stage of these transaction points present compliance exposure, so security is paramount to efficient portability.
- Communication with destination applications — Compliance regulations can make for strange bedfellows. Rather than their normal practices of secretly innovating their products to gain advantage in the marketplace, competitors must now devote a portion of their resources to working together to ensure their applications can talk at least enough for data portability. In many organizations this will require at least a partial philosophical shift.
- Balancing portability against innovation — While changing standards make increased communication between competitors necessary, ever-changing applications, especially in a continuous delivery model, will constantly change or enhance the way they handle data. This will create additional data handling fields that won’t match up across the spectrum of service providers, and standards will be needed for separating companies’ intellectual property from the customer right to portability.
As organizations look to a future that will exist almost entirely in the cloud, international standards for data portability must be at the forefront of development planning. Failing to plan to provide customers with the right to portability is guaranteeing a cumbersome, potentially expensive problem in the near future.
Learn More about Data Portability and GDPR
The right to data portability is one of the most influential and industry-changing provisions of the General Data Protection Act. Its implications for both businesses and customers will shape the future of applications, as more and more companies choose to move to the cloud.
Talend solutions can help your company build a strong data governance program on top of a modern data management platform to ensure compliance, while still using data for insight. Talend products allow you to manage opt-in consent across customer-facing applications, and implement data services to establish the right to be forgotten, right of accessibility, and right of rectification, also unlocking the right for data portability.
To learn more, take a look at our webinar, Practical Steps to GDPR Compliance, which will outline ways to ensure data portability in your organization.
Ready to get started with Talend?
More related articles
- Pillars to GDPR Success (2 of 5): Data Capture and Integration
- Pillars to GDPR Success (4 of 5): Self-Service Curation and Certification
- Pillars to GDPR Success (3 of 5): Anonymize and Pseudonymize for Data Protection with Data Masking
- Pillars to GDPR Success (5 of 5): Data Access and Portability
- Preparing for GDPR
- [GDPR Step 14] How to Govern the Lifecycle of Information
- Pillars to GDPR Success (1 of 5): Data Classification and Lineage
- [GDPR Step 15] How to Set Up Data Sharing Agreements
- [GDPR Step 16] How to Enforce Compliance with Controls
- [GDPR Step 13] How to Manage End-User Computing
- [GDPR Step 11] How to Stitch Data Lineage
- [GDPR Step 09] How to Conduct Vendor Risk Assessments
- [GDPR Step 12] How to Govern Analytical Models
- [GDPR Step 10] How to Improve Data Quality
- [GDPR Step 08] How to Conduct Data Protection Impact Assessments
- [GDPR Step 07] How to Establish Data Masking Standards
- [GDPR Step 3] How to Confirm Data Owners
- [GDPR Step 06] How to Define Acceptable Use Standards for GDPR
- [GDPR Step 2] The Importance of Creating Data Taxonomy
- [GDPR Step 4] How to Identify Critical Datasets and Critical Data Elements
- [GDPR Step 01] How to Develop Policies, Standards, and Controls
- What is Data Privacy?
- [GDPR Step 5] How to Establish Data Collection Standards