Originally published by New Context.
As an individual, you should have the ability to access any personal information a company has about you and transfer that data to another business at any time. That’s the fundamental concept behind the right to data portability, which is outlined in several laws that have recently gone into effect, including the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Under these regulations, businesses based in the EU or California, or who have customers residing in these regions, must be prepared to provide a user’s personal data within a specific timeframe (45 days in California, and 30 days in the EU). This data must be provided in a common, machine-readable format so it can be easily transferred to another platform or provider. Some examples of acceptable file types include JSON, CSV, and XML. The originating provider is responsible for the security of that data while it’s in transit, after which the receiving provider takes over.
The right to data portability may impact your business even if you’re not headquartered in a location subject to data portability laws. If any of the personal information you collect in the course of doing business belongs to an individual in the EU, California, or anywhere else with data privacy and portability regulations, you need to be prepared. It’s important to remember that the GDPR and CCPA aren’t the only right to data portability laws that could affect your business. Countries like India and Brazil also have data portability regulations in place, while Canada, Australia, and the U.S. all have federal legislation in the works.
A user can request their data with a data subject access request, or DSAR. There aren’t any formal requirements for how this request is made—the user has the freedom to use any method of communication they wish—but you can standardize the process by including a template or submission form on your website to make it easier for yourself and your users. Once a user makes a DSAR, you have a limited amount of time to respond, so you need to have a plan in place ahead of time. Here are some practicalities to consider as you prepare for potential data portability requests.
In order to quickly respond to a DSAR, your business must know where all of your customer data resides on your network so you can efficiently find and retrieve it. The best way to identify and track personal information is by using data mapping, classification, and discovery software. These features will allow you to automate the process of tagging, classifying, searching, and retrieving personal data so you can easily comply with a customer’s DSAR.
Both the GDPR and the CCPA stipulate that businesses must verify the identity of a customer before they release any personal information. There are a variety of methods you can use to do this, including common multifactor authentication controls like text message security codes and fingerprint scans. Check your applicable laws to be sure you’re using an accepted identification method—the GDPR, for example, specifies that you must prove a customer’s identity through knowledge (e.g. a security question), possession (like an MFA key fob or cellphone), or inherence (a fingerprint or retinal scan).
If your business receives a DSAR, you must also ensure the security of an individual’s data as it’s being transferred off your platform. In addition to using a trusted and compliant data encryption method, you should also monitor and log the transfer process so you can identify any breach attempts or transmission issues. The right to data portability means the security of a user’s personal data is your responsibility until it safely reaches its destination, so it’s important not to lose track of data while it’s being transferred.
Keeping your customers’ data secure while also remaining flexible enough to transfer that data upon request can be a daunting task to face alone. You’ll need automated tools for data mapping, identity verification, and security and monitoring if you want to ensure you remain fully compliant without sacrificing the quality of your services. There are also data storage solutions available that have specific regulatory controls built-in, so you have an automated means of staying compliant with the laws that affect your business.
However, if your data needs or regulatory compliance obligations are more complex, an out-of-the-box product may not solve all of your right to data portability issues. That’s why New Context works closely with businesses to develop custom-tailored data portability and security solutions that provide maximum control and flexibility while addressing all regulatory restrictions. With the help of our data compliance and portability experts, you can ensure that all DSARs are answered promptly and data is transferred safely and securely.