It’s May, which means we’re now in that frantic time period leading up to the GDPR where the biggest concerns loom largest. For some, that’s the documentary obligations under the Regulation, for others it is whether to hire a DPO, but it seems that everyone I talk to is worried about Article 20’s requirement for data portability. The very phrase itself inspires confusion: does GDPR mean that I have to give all of my customers all of their data at any time, simply upon request?
Obviously it’s not that simple (it never is). Before we get into the particulars, you have to understand what data portability means. The GDPR is all about giving individuals the right to exercise authority over the information that they have given to data controllers. The idea is that data subjects never truly “give” their data away, but instead they allow others to use it. As such, if a data subject wants to have every datum they’ve provided to a company, the GDPR embraces that as a right. And the data subject can direct you to provide the data to a third party – even a competitor.
Technically, the scope of Article 20 is limited to those companies that obtained personal data either through consent or through the performance of a contract, and the processing of the data must be automated (that is, the processing isn’t done on paper files). Of course, that sounds like it covers the vast majority of commercial enterprises, who get their data from customers and (importantly) employees through consent or contractual arrangements and process the data electronically. Handling such requests can, and will, be a substantial burden, and there are very narrow circumstances in which you can decide not to comply.
As with everything in life, do not follow the Costanza Method.[/caption]
That burden is not made easier by the applicable time frame. When a data subject makes a request for their data, the controller has to provide them the data in a machine-readable format within a month. To reiterate, if a data subject makes a request on March 31 for all of the data they’ve given your company over the past five years, you need to send them their data in a commonly used, machine readable format (e.g., CSV or JSON) by April 30. You can get an extension if the request is extremely burdensome or unreasonable, but I wouldn’t rely on getting those extensions as a matter of course.
Data portability is, in many ways, one of the more immediately difficult aspects of GDPR compliance, because it mandates that companies have the internal technical capability to collect and transmit data within a short window of time. More than that, it presumes that a data portability demand from a data subject will be processed quickly enough so that there is not a substantial gap between request and execution — even a delay of a few days could cause a violation.
There are plenty of other complicating factors to consider (such as how to structure the data, how to verify the identity of the requesting party, whether to disclose third party data to the subject, and what to do with the troublesome question of requests from subjects made in person or over the telephone), but the central point here is that data portability creates real, and substantial obligations on controllers. And it does so in an effort to reinforce the concept of data minimization. The premise, it seems, is that controllers will receive a portability request, and in the midst of amassing the reams of data someone will throw up their hands and say “Do we even need all of this stuff?” To which the European Commission will reply “exactly.”
In that way, Article 20 is the GDPR provision that gives teeth to the GDPR’s push for minimization. The less data accumulated is the less data to bundle and transmit to your competitors. And if companies don’t want to limit the data they take in, and instead invest the time and money to create a fast, nearly automated process for giving copies of all data on an individual back to the data subject, then that satisfies the Commission anyway. Deciding which of these approaches is best for your company has to be a high priority, right now.
In the three weeks left until the GDPR is in force, you’ll have to decide how to handle portability requests in the short and the long term, and that might mean rethinking how you take in data altogether. Either way, there isn’t much time left to decide.