Much has been written about the consternation and concern of businesses around the world regarding the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. The GDPR applies to companies operating within the EU that control or process data. Notably, it also applies to companies outside the EU that offer goods or services to EU residents.
Despite all the press surrounding the GDPR, new light is beginning to shine on the innovative aspects of the regulation, notably on Article 20, which creates a new right to data portability. Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Under Article 20, a data subject may request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance. The days of data silo and vendor lock-in could be numbered as the GDPR allows for movement of personal data in a structured, commonly used, and machine-readable format.
Currently, a consumer must submit new and complete information packets to each data controller with whom the consumer seeks to transact business. As a result, many consumers spend unnecessary time and resources re-entering personal data they have previously provided to other controllers. In this walled-off environment, consumers may be less likely to transact business with new controllers, artificially suppressing consumer choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors. The GDPR has the potential to level this playing field because consumers could avoid the hassle of re-entering all their data or losing any data if they switch to a new controller.
This new right to data portability is not without complications. Even though the GDPR may allow for and foster the growth of data portability in the aggregate, it may not streamline every case because of system incompatibility within and among businesses. Further complicating the picture is the variance between established systems and newer software. The sooner industry players develop the means to respond to data portability requests and transfer information in a commonly used and machine-readable format, the quicker the benefits will accrue to consumers and businesses alike.
In particular, U.S. companies, which may be lagging behind European companies in preparation for the GDPR’s implementation in approximately six months, should conduct a legal analysis to determine if they are subject to the GDPR’s requirements, research suitable technology, and implement appropriate measures to ensure compliance.