GDPR: Who's Responsible for the Right to Portability in the Client-Agency Relationship?

Written by Rick Madigan
December 6th 2017

5 minute read

Welcome to the sixth in our series of GDPR posts exploring the practicalities of the GDPR in the client-agency relationship. You can view our previous post here. This time around we will be exploring the “right to portability”, specifically what it is and what impact it has on implementation and operations within a project.

What is it?

One of the aspects of the GDPR is that users are now in control of their data. If they so wished they could take all of the data you hold on them and sell this on to another Data Controller (e.g. a research company). Once the user requests the data you have on them, it is your job as the Data Controller to then provide all that information in a “machine readable” format (e.g. XML, JSON, CSV) within a reasonable timeframe.

However, there are caveats to this that you should be aware of. The data covered by this right only includes:

  • Data provided by the user to you (e.g. through a form)
  • Data that has been processed by automated means (e.g. data captured by online marketing software, data from a fitness tracker, location data)
  • Data that has been processed based on explicit consent or fulfilment of a contract

Data outside of this is not considered in scope and there is no obligation to deliver this data to the user.

What do we need to consider?

Data portability potentially has a large impact on the business. This can be split into three specific challenges:

  • Technical – being able to extract the data efficiently largely depends on the capabilities of the systems in place. Any inefficiencies could incur large costs on the business.
  • User Experience – the process needs to be as simple as possible for users
  • Business strategy – this right allows for the possibility that users can move their data between you and your competitors so you need to consider this in your strategy up front

Of the three challenges, the agency (Data Processor) can have an impact on the first two options but not explicitly the third.

Our “right to portability” process should consist of the following items:

  • The mechanism(s) that the user can interact with to initiate the process
  • The mechanism(s) for exporting the user’s data
  • The process to be followed and the accompanying audit trail
  • The reporting mechanism to the user (e.g. email notification of deletion process)

How can your agency help?

As we’ve intimated in previous posts in the series, the scope of user data available to the agency (Data Processor) is a few pieces of the jigsaw. There’s a larger challenge facing you (the Data Controller) and you will be ultimately responsible for getting the systems and processes in place but the agency (Data Processor) has a part to play in fleshing these out.

We can break this down into a set of steps for the client and agency to work through to plan and implement the required processes and functionality.

  • The process starts with identifying the systems and channels that the agency is working on for you, e.g. website, marketing software. We need to be clear on what should be covered in the process.
  • We then need to understand what functionality is provided by the CMS or solution underpinning the project. We’re specifically focusing on functionality related to the data portability.
  • We then need to identify the gaps. The DPO can provide support here to lay out the entire functionality required to achieve compliance and we can then identify missing functionality and map out the work involved in fleshing out these gaps. This is going to include ensuring that there is a sufficient audit framework/trail in place.
  • We also need to consider the underlying process and how this functionality will tie into the process. This will include defining timescales.

With all of this in place, we can then implement the required functionality.

The entire process should be documented for auditors/investigators and may need to be factored in to SLAs and contracts established between the client and the agency.

What’s next?

Hopefully, this series of posts has given you an insight into the types of conversations that should be happening between you and your agency. The GDPR is a massive topic with implications reaching throughout your organisation.

While we are not legal experts on the GDPR, the team here at MMT Digital understands the responsibilities of the agency and can work closely with your Data Protection Officer and Compliance teams to hit the ground running in May 2018.