Understanding GDPR article 20
right to data portability is one of the most remarkable novelties of the GDPR. The Data Protection Directive, the predecessor of the GDPR, made no references to this ambitious right, and up to now, there are only small references to data portability in EU law, most notably in the telecommunication sector. Together with other parts of the GDPR, it represents one of the first theoretical steps towards a default ownership of personal data to consumers, and as a consequence, it gives the consumer greater power by increasing their level of choice. By facilitating free market conditions, it is also likely to influence and open the market at whole; it fosters the interoperability of services, and forces organizations to develop more user-centric platforms for the management of personal data. This new right could lead to considerable costs for organizations, but it also provides a strategic opportunity if implemented in the right manner.
So, what is Data Portability?
'Data portability' is the right of an individual to receive and reuse personal data, for their own benefit. Organizations must provide a copy of the personal data an individual has previously provided, and send it to another organization (even if a competitor) upon request. Where technically feasible, the GDPR encourages this to be transmitted directly from one controller to another. The data has to be provided in a commonly used and machine-readable format, so that the new organization can readily import and make use of the data. The first request for a copy of processed personal data shall be free, and should be provided within a month of the request. This prospect naturally gives the power to individuals to make informed decisions about leaving controllers, or switching service providers using the same personal data. The right to data portability only applies if the data processing is "carried out by automated means", and therefore does not cover paper files.
Links with GDPR Right of Erasure
It seems that the Right to data portability is closely related to other GDPR articles in regards to the fact that they all require distinctly accessing a user's data. Note, however, that the right of access, rectification, and erasure, are not similar to the right to data portability, they merely could imply that the data controller uses the same processes for these rights as it would need to facilitate the right to data portability.
The Right to data portability shares the most obvious similarities with Right of access (article 15), however, these differ in many ways. The first obvious difference between the two is the method by which the end user receives them. While both encompass a level of knowledge, only the right of data portability requires the data to be provided in a workable format. In addition, according to the Right of data portability, users can request for this to be transmitted to another controller. Secondly, the Right of access is much wider in terms of scope; it not only refers to the data provided by the user, but can also include the purpose of its processing, the categories of personal data concerned, the recipient to whom the personal data will be disclosed, profiling, etc.
Challenges for Contact Centers
For most organizations, this new right to transfer personal data between controllers creates a significant additional burden, requiring substantial investment in new systems and processes. Organizations must create simple mechanisms for giving effect to this right (e.g., direct download tools); they must ensure the interoperability of the data format provided in the exercise of a data portability request; they must have a system in place for transmitting data to other controllers; and equally, a system for receiving data from other controllers. Moreover, organization need an efficient technical design in place if they are to locate and transmit customer data "without undue delay".
Data controllers will need to implement supporting processes to be able to comply with these requests, some of these processes are similar to the execution of other rights. At a basic level, before an organization can provide data for a subject, they need to be able to identify it. For organizations that deal with millions of customers and try and gather as much data as possible around each of their preferences, this can pose an obvious challenge. Organizations must also have the ability to do this across all channels, or they run the risk of only having half the information available.
How NICE Can Help You
NICE GDPR Compliance Center solution by means of advanced data tagging and through Compliance APIs, allows our customers to easily locate (within a few clicks) interactions and metadata belonging to specific data subjects across ALL channels. Likewise, the same process applies to bulk requests and groups of customers requesting their right for data portability. Our GDPR solution allows for the creation of bulk policies, where data can be extracted in one go, based on rich logic. This allows our customers to efficiently locate and transmit customer data "without undue delay".
The second main challenge that article 20 poses is providing this data in a standard format that is machine readable. The Compliance Center allows you to export data in both CSV and WAV formats both of which are some of the most commonly used electronic forms, preferred by the GDPR. Again these can both be produced within a few clicks.
The Compliance Center also contains audit logs, for data governance, so that every action performed by each user within the system is clearly documented, and the request is properly logged. Moreover, the system has an approval workflow, so for example, a manager could decide to offer a customer a special deal to stay with them, when an approval is brought before them.
May 25th is right around the corner, so if you haven't already, now is as good a time as any to contact us and hear more about our GDPR compliance solution can help you.