Welcome to next part in my series of GDPR posts exploring the practicalities of GDPR in the client-agency relationship. This time around I’ll be exploring the “right to portability”, specifically what it is and what impact it has on implementation and operations within a project. It is another important part of GDPR that should be aware of.
What Is It?
So, continuing from my previous post here, one of the aspects of GDPR is that customers are now in control of their data. If they so wish, they could take all of the data you hold on them and sell this on to another Data Controller (e.g., a research company). Once the customer requests the data you have on them, it is your job as the Data Controller to then provide all that information in a “machine readable” format (e.g., XML, JSON, CSV) within a reasonable timeframe.
However, there are caveats to this that you should be aware of. The data covered by this right only includes:
- Data provided by the customer to you (e.g., through a form)
- Data that has been processed by automated means (e.g., data captured by online marketing software, data from a fitness tracker, location data)
- Data that has been processed based on explicit consent or the fulfilment of a contract
Data outside of this is not considered within the scope and there is no obligation to deliver this data to the customer.
In addition, data portability is not an absolute right. The Data Controller needs to assess the legitimacy of the request, e.g., it will need to be weighed against the rights of others.
What Do You Need to Consider?
Data portability potentially has a large impact on your business. It can be split into three specific challenges:
- Technical – being able to extract the data efficiently largely depends on the capabilities of the systems in place. Any inefficiencies could incur large costs for the business.
- User Experience – the process needs to be as simple as possible for your customers.
- Business strategy – this right allows for the possibility that customers can move their data between you and your competitors so you need to consider this in your strategy from the outset.
Of the three challenges, the agency (Data Processor) can have an impact on the first two options but not explicitly the third.
Your “right to portability” process should consist of the following items:
- the mechanism(s) that the customer can interact with to initiate the process
- the mechanism(s) for exporting the customer’s data
- the process to be followed and the accompanying audit trail
- the reporting mechanism to the customer (e.g., email notification of the process being initiated)
How Can Your Agency Help?
As I’ve intimated in previous posts in the series, the scope of customer data available to the agency (Data Processor) is a few pieces of the jigsaw. There’s a larger challenge facing you (the Data Controller) and you will be ultimately responsible for getting the systems and processes in place, but your agency (Data Processor) has a part to play in fleshing these out.
This can be broken down into a set of steps for you and your agency to work through to plan and implement the required processes and functionality.
- The process starts with identifying the systems and channels that your agency is working on for you, e.g., website, marketing software. We need to be clear on what should be covered in the process.
- You then need to understand what functionality is provided by the CMS or solution underpinning the project, in particular the functionality related to the data portability.
- You then need to identify the gaps. The DPO can provide support here to lay out the entire functionality required to achieve compliance and you can then identify missing functionality and map out the work involved in fleshing out these gaps. This is going to include ensuring that there is a sufficient audit framework/trail in place.
- You also need to consider the underlying process and how this functionality will tie into the process. This will include defining timescales.
- With all of this in place, you can then implement the required functionality.
The entire process should be documented for auditors/investigators and may need to be factored into SLAs and contracts established between you and your digital agency.
What’s next?
Hopefully, this series of posts has given you an insight into the types of conversations that should be happening between you and your agency. The GDPR is a massive topic with implications reaching throughout your organization.
While we are not legal experts on the GDPR, the team here at MMT Digital understands the responsibilities of the agency. If you have any opinions on the points in this article, feel free to write your comments below. It is definitely approaching a critical time for you to implement many of the key areas this blog post has touched upon. Do read back through the earlier articles too to understand better the impact GDPR will have on your business and act accordingly. The topic of GDPR is one that is dear to our hearts. Check out some of the critical points you should be addressing here.
DISCLAIMER: All data and information provided in this blog post are for informational purposes only. Kentico makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information contained herein. We recommend consulting with a lawyer for any legal advice pertaining to GDPR compliance.