Article | Beyond Connectivity, Open APIs, Privacy & trust, Open Digital Framework (ODF), Data management, Internet of Things (IoT), Operations Support Systems (OSS)

How Frameworx and APIs can help with GDPR compliance

05 Jan 2017

New guidelines were recently published on the Right to Data Portability under the new GDPR rules. There is now an urgent need for all stakeholders, associations and standardization bodies to work together on a common set of interoperable formats to enable this right to portability, argues Orange’s Fabien Venries.

Last month, the European Article 29 Data Protection Working Party published the Guidelines on the Right to Data Portability, clarifying portability issues raised by the General Data Protection Regulation (GDPR) which comes into force in May, 2018.

The document clarifies:

What are the main elements of data portability?

When does ‘portability’ apply?

How do the general rules, governing the exercise of data subject’s rights, apply to data portability?

How the portable data must be provided (format)

Principles

‘Data portability’ allows the transmission of personal data from one data controller to another and is a tool to support the free flow of personal data in the EU and foster competition between controllers.

Data controllers should start now, developing the processes and means to address portability requests, such as downloading appropriate tools and APIs. They should also be encouraged to ensure the interoperability of the data format provided.

There are two potential scenarios:

A direct transmission of personal data from one data controller to another: For example, when migrating data from a cloud provider to another cloud provider, the data can be directly transmitted without the technical involvement of the data subject (except for their consent)

Tools that offer the data subject the ability to download their own personal data.

What data does the GDPR apply to?

Data portability rules apply if the data processing is based either on the data subject’s consent or on a contract.

Data to which it applies:

Data concerning the data subject, even if this data contains personal data related to other data subjects (see below)

Not only the data “provided” by the data subject, but also the data generated by and collected from the activities of users: For example, raw data generated by a smart meter.

It does not include:

Data exclusively generated by the data controller, such as profiling created from analysis of the raw smart metering data collected, scoring of customers, etc.

Another way to describe the data “provided by the data subject” is:

Data actively and knowingly provided by the data subject

Observed data: Data derived from the data subject’s use of the service or the device (search history, traffic data, location data, health trackers data, etc.)

What about personal data relating to more than one data subject?

The guidelines go into great detail on issue of personal data related to a data subject that involves personal data from other data subjects. An example given is call logs, which present the list of calls made and received, with the phone numbers and potentially the names of the user’s contacts.

The recommendation given is that when treated by the new data controller, the new data controller should not process them for any purpose which would affect the rights and freedom of the third parties. The new data controller must manage the data in a manner that ensures that the other data subjects involved are respected. Specifically the new data controller may not use the transmitted third party data for their own purpose, such as proposing products and services to those third party data subjects.

Informing end-users

Data controllers must inform users regarding the availability of the new right, particularly before any account closure, so that users can make use of their right to data portability.

Identification of the data subject

This aspect is still very open: The identification of the data subject, to ensure match between the old and new data controller, can be done using identifiers such as email, IDs, and potentially social networks to confirm identity.

Price

Data portability will be free, although provision is made to charge in cases of unfounded, excessive or repetitive activity, but these will be rare and have to be fully justified. The cost of the processes created to fulfill data portability requests should not be taken into account in determining ‘excessiveness’.

Delay

Once requested, there should be no “undue” delay in carrying out the portability request. The maximum allowed is within one month of receipt of the portability request, although in some complex cases, a delay of three months (maximum) can be accepted to comply with the request. The guidelines also recommend informing the Data Subject of the timeframe.

Refusal

Any refusal should be justified and occur in very few cases, even in regard to multiple data portability requests.

Format of data

The data exported must be structured and machine-readable. There is no obligation to be compatible, just interoperable, which means for example that the work required for importation by the new data controller is considered as an accepted part of its activities.

In cases where the amount of data makes transmission via the Internet problematic, the data controller may need to consider alternative means, such as streaming, saving to a CD/DVD/physical media or allowing for the personal data to be transmitted directly to another data controller.

How the Information Framework (SID) can help

There is no precise recommendation on the data format to be used so each industry is likely to use its own standards to create the portability format: Banks could rely on the European Banking Federation, insurers in France with the DARVA standard, etc.

As TM Forum looks horizontally across a number of industry verticals, it is particularly well placed to define a portability format based on the Information Framework (SID). The choice of data concerned and the specifics could be done by each industry representative body in the SID format.

There is an urgent need for all stakeholders, associations and standardization bodies to work together on a common set of interoperable formats to enable this right to portability for the end-users and simplify the transmission of personal data.

Simplifying GDPR compliance will be a key topic for the Trust & Privacy Management team at Action Week, Lisbon 2017 (February 6-10) – come along and participate and help shape how it is implemented!

(The Article 29 Data Protection Working Party is also welcoming welcoming any additional comments on these guidelines up until the end of January 2017.)