Posted by Joe Bartolo, Information Governance & Risk Solutions, and Sid Jiwnani, a solicitor and Director (Europe), at Legal Futures Associate Knovos
“… processing of personal data require(s) that appropriate technical and organisational measures be taken to ensure that the requirements of GDPR are met”
This article will focus on this one specific section of the GDPR, article 20, which requires ‘portability’ of data containing personal information, and in particular the technical measures to be taken.
Who are the authorities on the subject?
The European Data Protection Board was created by the GDPR to replace what was formerly called WP29 (Article 29 Working Party). It advises the European Commission on protecting personal data.
The WP29 has continued to issue guidelines interpreting GDPR principles, during the transition to the new board. In April 2017, the WP29 adopted WP242/262, providing further clarity regarding the definition of data portability under the GDPR.
Further guidance on data portability exists in the GDPR Recitals, which provide information on the European Commission’s rationale. Recital 68 directly addresses portability and provides insight into the obligations imposed on business entities. Recital 66 discusses the so-called right to erasure, which imposes a ‘purge-ability’ requirement, which is closely linked to portability.
Data protection authorities are charged with enforcing the GDPR’s terms and will interpret the meaning of portability based on the guidelines provided by the EU governing bodies. In the UK, the Information Commissioner’s Office (ICO) has a wide range of authority to enforce the GDPR, along with corrective power including the ability to impose sanctions.
Portability: What it is and why it matters for GDPR compliance
The GDPR defines the right of data portability in article 20(1): “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the data have been provided.”
The rights associated with a subject access request (SAR) are outlined in article 15. Organisations must locate, report, produce, and delete personal information in response to a SAR filed by an EU resident.
In theory, the portability requirement empowers an individual, giving greater control over personal information and being able to transfer that information from one provider to another. The GDPR envisions a consumer moving contractual services from one service provider to another competitive provider, creating an easier means of transferring, and possibly deleting, the existing personal information that the former business entity possessed about the specific consumer.
WP242 states: “Pursuant to article 20(1) of the GDPR, to be within the scope of the right to data portability, data must be: personal data about him or her, and which he or she has provided to a data controller. Article 20(4) also states that compliance with this right shall not negatively impact the rights and freedoms of others.”
Beyond defining portability, just what type of information is considered ‘personal’ under the rules of the GDPR? Various GDPR recitals discuss personal data, giving insight into the definition of the term.
In addition, the GDPR portability does not apply to all personal data. Data provided by smart devices and ‘Internet of Things’ appliances, while possibly subject to a right of access request, is not likely subject to portability requirements.
WP262 provides additional guidance on what types of data would be considered personal while also subject to a portability requirement. The GDPR distinguishes two classifications of data into that provided by the subject and “observed data”.
The first consists of information actively and knowingly provided by the data subject (eg, mailing address, username, age, etc.), while the second is provided by the data subject due to using a service or device.
Observed data may, for example, include a person’s search history, traffic data and location data, and may include other raw data such as the heartbeat tracked by a wearable smart device. Observed data is less likely to carry a portability attachment in response to a SAR.
Despite the limitations of the classification of data subject to portability requirements, GDPR compliance with this aspect of the regulation remains complicated.
GDPR compliance requires organisations to know of the location and content of their digital assets and electronic records. Organisations must know where their data is located and have the means to search and retrieve required information, to meet stringent GDPR requirements. The sanctions imposed for violating GDPR obligations can be severe.
To address GDPR compliance, organisations typically implement information governance strategies, or revise existing policies and records management practices to address the new data protections.
Time limits for responding to a SAR are short, with a response time of fewer than 30 days expected by the ICO. There are provisions outlined by the ICO for extensions of time requests, providing more time to respond to a SAR, but even with extensions, the timeframes to respond are limited.
The technology challenge
Knowledge of data source locations is a key element of GDPR compliance. Without a thorough data map showing an organisation where personal information is located throughout its internal dispersed data landscape, a business entity cannot be GDPR-compliant.
If the ICO investigates a complaint under the GDPR, the locations where personal data might reside will be a component of that inquiry. Data maps and the ability to identify data from various locations are essential elements for the satisfaction of the portability requirement.
Once the organisation understands the location of where digital assets and data stores are located, an ability to search through information and retrieve whatever relevant data is required. There is a clear need imposed by the GDPR for an organisation to find and retrieve personal information in response to a SAR.
Organisations also need to manage the consent documents for the use of personal information which they receive from users, indicating acceptance of terms and conditions attached to specific business transactions. Without an ability to determine which data contains personal information related to a specific individual, GDPR compliance is impossible.
Determining if, and where, personal information is located within an enterprise can be difficult. Organisations have disparate data sources within their enterprise, many systems do not communicate with other technology used within the environment. Searching through various databases to detect personal information can be a tedious task, requiring the same search to be performed multiple times across several sources.
The volumes of data in possession of a typical mid-sized organisation can be rather substantial, and the cost and time associated with searching through electronically stored information in response to a GDPR request can be significant.
While deploying technology poses some challenges, it offers solutions designed to reduce the burdens of GDPR compliance.
Using technology to overcome the challenge and comply with portability
Having the ability to index information at the file level from one dashboard, across an entire enterprise’s dispersed data landscape, is a capability delivered by information governance platforms.
Integration of information governance technology with other corporate systems provides an ability to identify personal data, across the entire IT landscape, with only one search.
Auto classification of data on arrival, coupled with pattern matching software, can help automate the detection of personal information. Once the personal data in response to a SAR is identified, information governance technologies will assist with additional steps required by the portability requirements of GDPR, such as reporting of all personal information, ability to transfer selected data, deletion of data, and redaction.
Various actions may be required when personal information is located, depending on the SAR. A report on what type of personal information is in the organisation’s possession might be the only request a citizen is making – information governance software assists in providing detail about files containing personal information.
Reports can show information regarding the file’s attributes and what personal information exists in each electronic record. Subsequent to providing a report in response to the GDPR request, the individual may request a transfer of all the data containing their personal information as defined by the GDPR.
Data transferred subject to the GDPR must be provided in a readable format to satisfy the portability aspect of the regulations. Many types of electronically stored files will readily convert to a PDF format and can be transferred in this manner.
However, what about files that don’t convert well? There might be a need to provide information in a format other than PDF, especially for spreadsheet files that do not convert well to a page-level format. Email files may also require special handling to produce in a manner satisfying portability.
Information governance technology can assist with the transfer process and convert the file formats to PDF or other permissible formats, as part of the transfer requested under the SAR. Once the data transfer is complete, audit reports are available that record the steps taken by the organisation to comply with the GDPR request.
Simply because a request has been made under the GDPR, the organisation is not always required to delete the information. Only in the instance that an EU citizen making a SAR enforces their right to erasure does the deletion requirement arise.
Where deletion has been requested, information governance platforms can be configured to delete information from other internal systems. The technology used to identify personal information across the enterprise can also manage the deletion process when required.
A detailed report regarding the deleted information can be provided to further satisfy the portability requirement and any audit that may arise. Portability and purge-ability compliance can both be accomplished through similar means.
Plans for how to efficiently and cost-effectively respond to a right to erasure request will prove vital toward establishing compliance if an audit arises.
As with other GDPR requirements, technology is a key element in demonstrating the ability to comply with the portability obligation.
Consider the tasks involved: search and locate personal information belonging to one individual; search across all data sources across an enterprise; collect information; produce and transfer information in readable format; protect privacy rights of other third parties; delete information on request; and report on actions taken in response to a GDPR request.
This all becomes a much easier obligation when proper technologies are in place.
Using technology effectively makes GDPR compliance possible and the portability requirement manageable. Since sanctions are already in effect, entities that feel their own internal capabilities to respond to a SAR are inefficient should address data protection with a growing sense of urgency.
Due to evolving data protection regulations such as the GDPR, there will likely be an increased number of organisations evaluating technologies to improve their data portability workflow.
Worth noting is that organisations need to address budgetary considerations for the adoption of technologies they are evaluating, and the evaluation period for adoption of a new technology can be lengthy. Organisations faced with a larger number of SARs than anticipated may find they are faced with a need to escalate the priority of adopting new technologies to assist with GDPR compliance.
The technology used for GDPR purposes also provided additional knowledge management benefits to organisations, by improving the ability to locate and retrieve the required information.
While portability may be a burdensome requirement, if proper plans are in place to use technology with features designed to address GDPR compliance, then there is a high probability of success.