GDPR- Data portability

"The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, …."

Under the article 20 of the GDPR regulation, data subjects can request 2 things:

1.      A copy of any personal data held on them.

2.      That this information is transmitted to another data controller.

As you can see above, the GDPR Regulation doesn’t describe how this information has to be presented or the format it has to be in, but it does require that it is in a “structured, commonly used and machine-readable format”.

Where feasible, the controller may even be required to transmit the data directly to a competitor.

From a technical perspective, data controllers will need to ensure their systems, products, applications and devices that collect and store information on data subject also have the added functionality of porting and transmitting data.

Remember that the right to request a copy in a machine-readable format is only possible if the data concerned was:

1.       Provided by the individual to the controller;

2.      Processed by automated means, and

3.      Processed based on consent or fulfilment of a contract .

How will data portability should work in real life?

1.      A direct download link offered by the data controller (in formats such as CSV or XLS….)

2.      A direct transmission of the information from one Data Controller to another

3.      Stored at a trusted third party .

To be continued…..Stay GDPR tuned !

Yaniv Milhovitch, CISSP, CISM, MCSE, Head of Compliance Division @Titans Security Ltd