In our tech-centered world, personal data has become a valuable asset that is collected, processed and analyzed by various organizations. In response to the rise in data breaches and privacy concerns, privacy advocates have pushed, and governments around the world have passed laws designed to strengthen the protection of personal data. The data subject rights outlined in the GDPR especially have set precedents that other privacy laws around the world replicate to some degree.
But while several of these rights—the right to be forgotten, the right to update old data, and more—seem self-explanatory and are frequently utilized, one in particular doesn’t get as much attention. This is the right to data portability. This right was not covered under the GDPR’s predecessor, the EU Data Protection Directive, so its appearance in the GDPR represented a bit of a shift. According to the IAPP, consumers rarely exercise the right to data portability and as a result, it has a much smaller legal paper trail than the often-invoked right to access or update.
Today, we will discuss what the right to data portability entails, what data it applies to, and how it fits into other consumer rights.
The right to data portability allows individuals to obtain and reuse their personal data held by a particular organization. This data can be transmitted to another company or stored for personal use. The purpose of this right is to give individuals greater control over their personal data and to facilitate competition between organizations by enabling users to switch between service providers with greater ease.
When a user files a data portability request, the data controller must provide the requested information in a commonly used, machine-readable format. The controller must also fulfill the request in a timely manner and ensure that all applicable data is provided.
To exercise one’s right to data portability, the user first makes a request to the data controller who holds their data. Companies can generally specify the format they want these requests to arrive in—i.e., postal mail, a phone call, or an online form—as most privacy laws allow for flexibility. But whatever the method, the request should include the user’s name and contact details. The data controller must respond to their request promptly (or within a legally specified timeframe) and provide them with the data for personal storage, or port the data to a specified recipient.
The right to data portability applies to any and all personal data that an individual has provided to a data controller, such as contact information, images, or comments. This can also include data generated while the individual works with the organization, such as records from fitness apps or smart meters, and any data provided for the performance of a contract or with consent.
As stated earlier, the right to portability does not by necessity affect anonymized data that cannot be traced back to the original data subject, or “inferred” or “derived” data generated based on user-provided information (such as a company-created user profile). The right to portability also does not apply to data processed based on legitimate interest or public interest. However, users can still request access to anonymized or inferred data. Companies are generally encouraged to provide it unless they have a good reason not to.
The right to data portability does not affect any other data rights. This means that individuals can exercise their right to data portability without prejudice to any other rights they may have, such as the right to erasure or the right to access their personal data. The right to data portability also does not affect the original retention period of the data, and data controllers can continue to provide their services to individuals after the data has been ported.
The right to data portability is a crucial part of multiple privacy laws worldwide and, like other data subject rights, presents a not insignificant challenge. The company receiving the request has to find all relevant data in a timely manner and organize it in a proper format for portability, and they have to keep up with potentially many such requests from many different people. Staying on top of all of this is no small feat.
That’s why we created 4Comply: a user-friendly privacy compliance software that streamlines the entire rights fulfillment process to keep you in full legal compliance the whole time. Whether it’s the right to data portability, the right to be forgotten, or something else entirely, 4Comply has you covered. Contact us today to learn more.