GDPR - Data portability

A new right 

The right to data portability introduced by Article 20 of the GDPR is one that does not have an equivalent in the Data Protection Directive that it replaces. In practice, this right allows a data subject to request a copy of all personal data that the data subject has provided and a controller processes electronically. This must then be transmitted directly from controller-to-controller, in order to easily allow the data subject further use of the data. 

The principle of data portability is set out in Article 20 of the GDPR: 

“The data subject shall have the right to receive the personal data concerning him or her... in a structured or commonly used and machine readable format and have the right to transmit those data to another controller without hindrance... where: 

(a) the processing is based on [data subject consent for the processing of personal data], or [the data subject’s explicit consent to processing sensitive personal data] or [processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract]; and, 

(b) the processing is carried out by automated means.”

 

Interoperability 

The purpose of the right to data portability is to promote interoperability between systems and to give greater power to the citizen over the data that controllers hold and an increased level of control and choice. 

Data subjects should be able to move between service providers without any loss of data and, therefore, enjoy a seamless transition that avoids the data subject having to re-input any information.

 

Rationale of the proposal 

The aim of the proposed right is to create a “level playing field” for newly established service providers that wish to take on more established providers, but are unable to do so because of the barrier posed by potential customers not wishing to have to re-input all of their data. 

 

Difficulties for businesses 

This aspect of the GDPR created consternation among entities with a business model that rely on personal data collected from customers and which view the manipulation and structural format of that data to be one of their main commercial assets. The ability of a data subject to be able to take that data, and the work that has gone into its structural format, and provide it to a competitor service is a potential threat to many such business models, which need to be adapted to fit the new regime. 

Further problems will arise for a business in relation to porting that data, such as identifying the appropriate contacts at the other controller entity, the necessary format for the data and effecting the porting of the data. Taking the steps necessary to effect the data porting will, of course, present an additional cost of business that entities need to factor into future operations.

Contact us

General Enquiries

North West, PwC United Kingdom

Tel: +44 (0)161 245 2000

Media Enquiries

North West, PwC United Kingdom

Tel: +44 (0) 7841 468 175

Follow us: