One of the most important rights under the General Data Protection Regulation (GDPR) is the right to data portability.
What is the right to data portability and how does it apply to cloud computing?
The fundamental concept behind the right to data portability is that an individual should have the ability to access personal information a company has about them and has rights related to transferring their data to other services or businesses. In short, the right to data portability is intended to help people to move, copy or transfer their personal data easily from one service to another in a safe and secure way, without affecting its usability.
How does the right to data portability affect businesses?
A user can exercise their right to data portability by requesting their data at any given time. They make this request by sending a data subject access request, commonly called a DSAR or SAR.
Once a person makes a DSAR, the company that receives the DSAR has a limited amount of time to respond to the request. It’s typically one calendar month. This has forced businesses to reconsider how user data is processed and stored in order to be able to deliver complete and timely responses to DSAR requests.
Preparing your business for a DSAR is not just about where data is stored, it’s also about how the data is stored. Personal data must be stored by businesses in a way that it is both available (see above) and secure to comply with data portability regulations.
It gets even more complicated because making both personal data availability and security work involves technical, regulatory and process related work – among other skills sets and activities. Examples of security and operational protocols for businesses to achieve personal data availability and security are::
Control of Access for DSAR requests
In addition to the security measures implemented to prevent unauthorised access to data on cloud infrastructures, businesses must have a mechanism in place for confirming the identity of a user who submits a DSAR. GDPR explicitly states that organisations must employ a method of verification that verifies a user’s identity by knowledge, possession, or inherence.
As the time period is limited for responding to a DSAR request, companies must ensure that the data on the cloud infrastructure can be retrieved quickly. This is why the use of data classification and mapping software becomes extremely important. These types of software enable businesses to effectively classify and categorise their data for quick retrieval.
Businesses will need to respond to a valid exercise of the right to portability by transferring data from their IT environment to another – at the very least by sending the data in a secure way to the person making the DSAR request. Data encryption is crucial to this transfer. The encryption method that businesses should use depends on the type of data the user has requested. For example, if the user’s data falls under the HIPAA (Healthcare Information Portability and Accountability Act) law, businesses must use the Advanced Encryption Standard (AES-256) encryption. In all cases, it’s best practice to only transfer personal data in response to a data portability request in an encrypted format.
Here’s how R&D Tax Credits may help
The right to data portability can enable new features and products that increase individuals’ choice and reduce switching costs between platforms. Previous to GDPR, there were no or limited consumer rights to migrate personal data from one service to another. Startups and companies with value propositions that centre on personal data use cases now have an opportunity to facilitate transfer of new and existing users/customers’ entire data to their cloud platform.
Apart from the possible opportunities, failure to comply with data portability regulations can jeopardise a company’s credibility, regulatory and legal position. Research & Development is a requirement to enhance and strengthen existing security protocols and deliver users a seamless data portability experience. In many countries, this ties in with government recognition and financial support for Research and Development into cloud in the context of these new technologies. In some cases, this support takes the form of targeted support and grants such as DAPSI. In other cases, there are more general research and development tax credits that can let SMEs, startups and companies claim eligible costs for data portability related research and development. As an example, the UK government confirmed in the United Kingdom’s 2021 Autumn Budget that qualifying expenditure for R&D Tax Credits will be expanded to include data and cloud computing costs. This change will help companies involved in data portability research and development get cash back or a tax credit using the R&D Tax Relief scheme for qualifying costs that fall under R&D tax credits.