Judging by the quantity of unsolicited compliance-assessment services that has appeared in my inbox of late, it would seem there is finally awareness of the upcoming changes to European Union data privacy regulation.
Despite their claims that "GDPR readiness" can be achieved via a free white paper or 30-minute seminar, I feel that true adherence to the letter and spirit of the regulation will prove a challenge to even the most savvy professionals.
In an effort to help you understand the complexities lying in wait for your organisation, I would like to review just one of the new or expanded rights that you must comply with in the near future: the right to data portability.
Does your datacompliance strategy include a full briefing to your call centres and is your data API – you have one of those, right? – robust enough?
Article 20 of the General Data Protection Regulation introduces the right of data portability. This enables data subjects to receive personal data in a "structured, commonly used and machinereadable format".
Meant to empower individuals with the ability to control their personal data, the concept is simple – if I have given you my data, then I am able to retrieve it or even transfer it to someone else.
The operational and technical complexities, however, are far greater than most believe. To begin with, data controllers will be required to inform customers of this new right, and recent guidance from the GDPR working party recommends that communications be amended to remind consumers about data portability before events such as account closures.
Does your data-compliance strategy include a full briefing to your call centres and is your data application programming interface – you have one of those, right? – robust enough to allow a deactivated user account to be used to identify a customer or competitor that needs to retrieve their personal data?
Then we have the matter of what data a customer is actually entitled to. The GDPR is quite clear that the scope of portable personal data is only "personal data concerning him or her" and data "which he or she has provided to a data controller".
An example is the obvious category of data knowingly provided by an individual, such as names and addresses. But it also includes "observed" data that has been recorded by virtue of the use of a service or device – search history, location data, contents of email (for webmail providers) and even raw data from fitness trackers are all explicitly mentioned in the guidance documents.
As a data controller, you must review all aspects of data you hold on consumers across the various parts of your siloed organisation and classify it accordingly to satisfy an access request.
Controllers who have been chosen to receive customer data in the context of a portability request will have even more to deal with. The GDPR states that data controllers must "ensure that data provided are relevant and not excessive with regard to new data processing".
As an illustrative example, the working party describes a portability request being received by a secure storage platform that contains a series of customer emails. This scenario prohibits that controller from processing the contact details of other customers that may be included in the data file. This results in the additional burden of not just understanding your organisation’s data but the data of its competitors.
Fortunately, the time to comply with a portability request is quite generous at one month – or up to three months for complex cases. The data must be downloadable and in a commonly used structured format and, given the complexity of such requests, the working party strongly recommends that APIs and metadata augmentation are included for the purpose of satisfying these requests.
However, the terms "structured, commonly used and machinereadable" have minimal definition, and suggested standards such as the European Interoperability Framework may be challenging for organisations that do not have experience of working with them.
On the surface, the new requirements are sensible and, beyond empowering consumers, will compel organisations big and small to review their data collection and definition process. This is a good thing for everyone, as improved interoperability will allow brands to use data to better service their customers and remove many walls resulting from the ad-hoc pockets of customer data that almost certainly exist in your company.
However, as we march towards 25 May 2018, concern continues to grow about how many companies are actually working in earnest towards this readiness. My sincere hope is that your brand is one of them.