The Importance of Data Portability for Fulfilling Data Subject Rights
Data portability defines that individuals have the right to request a copy of their personal information and/or have their information shared or transmitted from one controller to another. The controller being the organization that has legally obtained the individual’s information for a legitimate processing purpose (for instance a health provider or insurance firm). Both the GDPR and CCPA provide for data portability and this is a common feature for most privacy legislation worldwide. Data portability requests are considered a part of the data subject access request (DSAR) process.
Data portability is concerned with personal information on individuals and does not apply to information that has been anonymized or pseudonymized (this is specifically related to GDPR). Article 20 of the GDPR provides a description of the rights for data portability and includes this statement to help define the data portability concept: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”
What are some examples of data portability?
- A customer wants to know what data an organization holds on them and how that data is being shared and processed.
- A patient wants information from a family doctor to be shared with a specialty provider.
- A customer wants insurance information from an old carrier to be shared with a new provider.
- A student wants information provided to a new school.
Here are some additional resources on data portability:
- UK Information Commissioner’s Office, Data Portability
- New America “The Data Portability Act: More User Control, More Competition”
You just learned about Portability, now explore related terms like Data Subject Rights, Consent, Right to be Forgotten, Data Subject Access Request and Privacy Automation.