Data portability – A Utopian GDPR Requirement?

Data portability – A Utopian GDPR Requirement?

Tomi Behm

Lead Security Services Product Manager at Tieto

Views 1137

Data portability – A Utopian GDPR Requirement?

30.05.2017 08:45 am

One significant but less discussed aspect of the GDPR is data portability. It is a very complicated matter that CIOs, CISOs, IT managers, data architects, and other personal data controllers must research thoroughly.

Data portability is introduced in article 20 of the GDPR. It defines the new right for data subjects to port data about themselves. It is related to the rights to have access to personal data and to be forgotten, but in many ways it is a very different thing.

The purpose of the right to data portability is to support user choice, user control, and consumer empowerment. This the exact wording of the Article 20:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.”

Of course, you do already store personal data in a structured and machine-readable format, don’t you? Well, even though you may be able to say yes, you are most probably just speaking about your own ICT environment. 

Responsibilities of data controllers

The wording of the GDPR is demanding, but it also seems to leave room for interpretations:

“The data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.” 

It would be tempting to just refer to the last three words, and say: “Sorry, we could not do it, because it simply wasn’t feasible”. But that won’t make you compliant. How can GDPR compliancy be achieved in regard to article 20?

The European Commission has published a guidelines document, which urges development of means that will contribute to answering data portability requests. It uses the term “data controllers” as a general reference to organisations that handle and store personal data.

For the data controllers, data portability may seem like a utopian project causing a major headache and huge costs. So far, everyone has handled and stored data internally based on their own business needs. 

The guidelines document and its separate FAQ clarify the responsibilities of data controllers. They state that data must be easily transferable from one IT environment to another.

Urgent need of APIs and standards 

Basically, data should be made universally interoperable. It is up to data controllers to guarantee that they can provide individuals with data for personal purposes or for transfer to another controller.

The GDPR does not demand storing data in a fully universal format. No-one is being forced to create and maintain compatible ICT systems overnight either.

One solution to achieve data portability is to step on a higher level: The guidelines suggest using Application Programming Interfaces (APIs) that enable portability by interacting with any software to process requests submitted by or on behalf of data subjects. This means such APIs should be urgently crafted, bearing in mind that APIs involve security risks. Portability must not compromise shared data due to bad security measures.

Thankfully, you don’t have to invent everything by yourself. The guidelines recommend that industry stakeholders and trade associations work together to draft commonly shared standards on data portability. However, as long as no such currently exist, organizations can’t remain in waiting mode. 

Restrictions and benefits

Luckily, there are important restrictions in the right to port data. First, the right is limited to data provided by the data subject, “knowingly and actively”. Second, the data must be processed by automated means, which excludes manually processed data. 

The guidelines also discuss the possibilities to limit the scope of data to be exported or imported. Data subjects could be given freedom to choose which data fields they wish to be included and which should be ignored. Another option is to use APIs that minimise unnecessary fields automatically. It is even part of data privacy that excessive data be skipped in eventual transfers. 

Fulfilling the right of data portability will be a big part of GDPR projects across organisations. It will consume resources, but as my colleague Maria Nordgren has pointed out, it will also be beneficial for the customer experience. Also, when data is made portable, businesses can expect others to do the same. It will also make your ICT environment more agile and future-proof.

At Tieto Security, we are ready to help you on your journey to GDPR compliancy – including the requirement of data portability.

Check out Tieto Security’s GDPR webinar recordings in Finnish and Swedish. Each lasts about 45 minutes.

This post originally appeared on

Latest blogs

n/a n/a

How COVID-19 Is Ushering In a New Era of Cashless Technology

  Image source:   Cashless technology isn't a completely fresh concept. People have been using credit cards for decades, and the market for fintech services has been Read more »

Jean Shin tyntec

Using WhatsApp for 2FA is the Future of Banking

From user authentication and password resets to transaction verification, two-factor authentication (2FA) offers basic but useful protection for consumers. The 2FA process typically sends an SMS sent to the customer with a one-time password (OTP). Read more »

Amir Ghodrati App Annie

The Role of Fintech Apps in Navigating This Period of Financial Insecurity

Economic instability has been ricocheting throughout the stock market in the wake of the global coronavirus pandemic. Its effects have been felt across all industries, with winners and losers’ across different sectors. So, how has fintech Read more »

n/a n/a

How to Choose a VPN for Digital Privacy & Security

In a world where almost everything is connected, and where hackers and other malicious people are roaming the internet, it is always advisable that you take every precaution that you can to enhance your data security and privacy protections. Using a Read more »

Ben Slater Instaclustr

The Case for Adopting Open Source – Own Rather Than Rent the Foundations of Your Business

For some time open source was seen as something that only the biggest companies could use and play with. But with the modern, increasingly fast business environment, the use cases for open source are in everything and the technology is increasingly Read more »

Related Blogs

Tony Bethell ClusterSeven

The Real GDPR Challenge is Sustainable Compliance

As organisations raced towards the compliance deadline for the GDPR, their focus appeared to be simply to identify the inventory of IT supported assets that hold GDPR sensitive data. While a reasonable first step, this approach is merely scratching Read more »

Adam Prince Sage

10 Everyday Workplace Activities That Will Totally Change Under the GDPR

On 25th May 2018, the GDPR (General Data Protection Regulation) comes into effect across the EU, regulating how businesses should handle personal data. Businesses large and small need to get ready for this change. However, research from industry Read more »

Greg Sim Glasswall Solutions

Proxy cyberwarfare, GDPR and blockchain – the prospects for security in 2018

The last year has been a significant 12 months in the short history of cyber security, with headline security breaches such as Uber and a scramble to come up with new approaches, particularly as the European Union’s General Data Protection Read more »

Christian Voigt Fidessa

For Infosec the Only Way is Global

With information security rapidly gaining prominence over the last few years legislators have jumped into action to improve safeguards and public confidence in IT systems. While information security concerns prevail across all industries, in Read more »

Richard Price TIBCO Software

Data reform to drive digital transformation

The General Data Protection Regulation (GDPR) narrative may often be framed around security breaches, but this headline-grabbing angle perhaps overlooks the new legislation’s broader role as a catalyst to support the digital transformation agenda at Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel