An important part of the General Data Protection Regulation (“GDPR”) and a new concept in the world of data protection is the right to data portability.
What is it?
In a nutshell, this new right entitles individuals, who provide their personal data to organisations, to have that data transferred either to them or directly to another organisation in a format that is “structured”, “commonly used” and “machine readable” (GDPR Article 20(1)). Organisations who receive such a request from an individual will have to comply with the request if the individual has provided the organisation with the data and where the lawful basis for processing the data is consent or performance of a contract and the organisation processes the data by automated means.
Why is it important?
In today’s digital age, more and more consumers are providing their personal information to a variety of organisations all over the world. Modern technology enables companies to gather a wealth of data about consumers e.g. data gathered by search engines for marketing purposes. Think about it in any depth and you soon realise that there is huge potential for companies to benefit from consumer data even in circumstances where there may be no appreciable benefit to the individual. However, the right to data portability can, arguably, be seen as an attempt to level the playing field by giving the individual more control. For example, many consumers provide their personal data to banks, insurance companies, online shops and service providers. With the right to data portability, these companies may find themselves having to transfer data about the individual to their competitors – potentially allowing consumers to benefit from a smoother, easier ‘switching’ of supplier or seller. The result of this is likely to be increased competition between rival companies and, potentially, more competitive pricing for the consumer.
What does the ICO’s latest guidance tell us?
As the ICO’s guidance explains, it is not only the data that an individual “provides” to an organisation that would fall within the right to data portability. It also includes “personal data resulting from observation of an individual’s activities” such as “history of website usage or search activities, traffic and location data or ‘raw’ data processed by connected objects such as smart meters and wearable devices”. The implication of this is that this data could also soon find itself with a competitor.
Another interesting extract from the guidance relates to the application of the right to anonymous and pseudonymous data. The guidance confirms that the right to data portability “does not apply to genuinely anonymous data”. This is because genuinely anonymous data cannot be linked back to the individual and does not, therefore, constitute personal data. However, importantly, the guidance goes on to state that the right will apply to pseudonymous data “that can be clearly linked back to an individual” – further enhancing the rights of consumers.
In summary, it seems fair to say that the right to data portability is likely to become a key feature of the GDPR era. The potential benefits that it will provide to consumers and the implications that it has for business are yet to be fully realised but are likely to become more and more apparent as the use of digital technology and online interconnected services continue to expand exponentially. It also seems likely that data portability requests for some sectors and how the ICO interprets the new legislation will be litigated upon as businesses seek judicial guidance on the new regulations. In the meantime, it is essential that businesses – particularly in the digital sector – take steps to adequately prepare by ensuring that they have an adequate policy and procedure in place and that their IT systems are capable of servicing such requests.
Stephensons assist businesses and other organisations with a wide range of data protection issues. For advice or assistance, call us now on 01616 966 229.