In this multipart guide, we will be assessing your rights and obligations in the rapidly approaching GDPR, equipping you with the knowledge to stay secure once the new regulation comes into play.
What is the right to portability?
The right to portability states that individuals are entitled to obtain and reuse their personal data for their own purposes. This includes the secure moving, copying and transferring of the data between IT environments, without hindrance to usability.
It is worth noting that some organisations in the UK are already offering data portability through midata or similar initiatives, allowing individuals to access and use their personal data through a portable and safe process.
When does this right apply and how do I comply?
The right to data portability only applies when the individual has provided the data to the controller, when the processing is automated, or when the processing is based on consent or the performance of a contract.
In order to comply, the data must be provided in a structured, commonly used and machine-readable form, so organisations are able to easily access and use this data. This means that the information is structured so that computer software can extract specific elements of the data without serious additional effort required. A good example of this is a CSV.
This information must be provided free of charge, and should be transferred to the individual or another organisation as requested if technically feasible. You are NOT however, required to adopt or maintain processing systems that are technically compatible with other organisations.
If the information requested concerns more than one individual, you must consider whether providing the data would contest the rights of any other individuals prior to fulfilling the request.
You must respond without undue delay, and within one month of the request submission.
This can be extended by a further two months where the request is complex or you receive multiple requests, however if this happens, you are required to inform the individual to explain why this request is necessary within the first month.
Where you are not going to fulfil a request, you must contact the individual to inform them of why, as well as giving them access to the supervisory authority. It is also your role to inform them of their right to complain to this supervisory body, as well as their right to a judicial remedy without undue delay within one month at the latest.
To find out more about GDPR compliance within your business and best practise for data processing, give MarketDeveloper a call today on +44 1784 432 082.