GDPR Data Portability is a new right that will enable individuals to port their data from one online service to another. So how should businesses prepare for the measure that will empower both their customers and competitors alike?
GDPR Data Portability Guidelines that have been recently published by the Article 29 Working Party, the top body of EU Member States’ Data Protection Authorities, provide for some crucial answers businesses controlling people’s personal data should keep in mind.
What types of data are subject to GDPR data portability obligation?
An individual has the right to port their data “in a structured, commonly used and machine-readable format”. Article 29 Working Group puts forward the example of a music fan who might be interested in retrieving her current playlist from a music streaming service to find out how many times she listened to specific tracks in order to make her purchasing decisions on her newly chosen music platform. Another individual might want to retrieve his contact list from his webmail application to build a wedding list.
What tools to port data do I have to offer to individuals?
Businesses should offer a direct download opportunity for the individual but should also allow data subjects to directly transmit the data to another data controller. This can be done by means of an API.
In order to port data, individuals may also wish to use a personal data storage of a trusted third party, to store the data and grant permission to data controllers newly chosen by the individual to access and process the personal data as required.
When does GDPR data portability obligation apply?
Data portability needs to be enabled in all cases where you have been gathering, by automated means such as via your website or app, personal data based on individuals’ consent or in relation to contracts that you entered into with them. At the time when data is obtained from the individual, the individual must also be informed about their right to data portability.