What does the data controller have to take into account in order to respond to the exercise of the right to portability under the new GDPR Framework?

It is common to hear about the right to portability in cases such as portability in the telephone industry. We have all tried to change the telephone company that we use, either for a better offer or to reduce the tariff, and to want our telephone number to remain in force.

The same principle can be applied to data portability in the 21st Century.

What is data portability and how does it affect us?

The right to portability, in a broad sense, means that the interested parties have the right to receive their data in a format of common use, structured and mechanically, from those responsible for processing them. In turn, this raises the possibility that other parties can transmit the data to other parties on the other side of the host server.

These issues have been further complicated by the new GDPR (Global Data Protection Requirement) policies. In order to respond to the exercise of the right to portability, the data controller has to take into account different aspects:

• Check that the legitimacy of the processing is based on the consent of the data subject and/or the execution of a contract.
• Confirm that the processing of personal data is carried out by automated means.
• Bear in mind that portability only applies to the personal data provided by the interested party, who is the only one who may request it. The personal data that the person in charge has generated and deduced from the treatment, will not be able to apply the right.
• Provide the data subject with personal data in a structured format.
• Transmit the personal data directly to another person in charge, as long as the technique allows it.
• Deleting personal data at the request of the data subject.
• Respond to the interested party within a maximum period of 1 month from receipt of the request.

Before you understand the relationship between data portability and the GDPR, you will need to get a better understanding of the legal framework. Some of the policies that were implemented under the GDPR are similar to those under the previous policies established by the Global Data Directive. Here is an overview:

• Every customer must consent to have their data collected and shared

• Data must be anonymized to protect user privacy

• You must be notified if there has been a data breach by the data collector

• Your data must be handled securely before being transferred across national borders (whether it is being sent inside or outside of an EU member state)

• Companies of certain sizes must appoint a data protection officer

If you are moving your data to another source, it will need to be properly encrypted and secured. It shouldn’t raise many security risks. However, one risk that you need to consider is the possiblity that the new company handling your data won’t have to appoint a data protection officer. This is usually a concern if you are moving data to a smaller firm. However, it rarely has a significant impact on the security of your data. It also doesn’t occur very often.