Foreign No More: Transferring Data on Demand U.S. Companies and GDPR Data PortabilityMuch has been written about the consternation and concern of businesses around the world regarding the European Union’s General Data Protection Regulation (GDPR), which takes effect on May 25, 2018. The GDPR applies to companies operating within the EU that control or process data. Notably, it also applies to companies outside the EU that offer goods or services to EU residents.

Despite all the press surrounding the GDPR, new light is beginning to shine on the innovative aspects of the regulation, notably on Article 20, which creates a new right to data portability. Data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. Under Article 20, a data subject may request a copy of all his or her electronically stored personal data and/or have the right to transmit that data to another data controller without hindrance. The days of data silo and vendor lock-in could be numbered as the GDPR allows for movement of personal data in a structured, commonly used, and machine-readable format.

Currently, a consumer must submit new and complete information packets to each data controller with whom the consumer seeks to transact business. As a result, many consumers spend unnecessary time and resources re-entering personal data they have previously provided to other controllers. In this walled-off environment, consumers may be less likely to transact business with new controllers, artificially suppressing consumer choice in the process. Innovation and growth similarly suffer because smaller and/or newer data controllers may find it difficult to compete with established competitors. The GDPR has the potential to level this playing field because consumers could avoid the hassle of re-entering all their data or losing any data if they switch to a new controller.

This new right to data portability is not without complications. Even though the GDPR may allow for and foster the growth of data portability in the aggregate, it may not streamline every case because of system incompatibility within and among businesses. Further complicating the picture is the variance between established systems and newer software. The sooner industry players develop the means to respond to data portability requests and transfer information in a commonly used and machine-readable format, the quicker the benefits will accrue to consumers and businesses alike.

In particular, U.S. companies, which may be lagging behind European companies in preparation for the GDPR’s implementation in approximately six months, should conduct a legal analysis to determine if they are subject to the GDPR’s requirements, research suitable technology, and implement appropriate measures to ensure compliance.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Amy Puckett Amy Puckett

Amy Puckett’s practice includes diverse experience in the areas of employment law and financial services regulatory compliance and contract negotiation.

In her employment practice, Amy advises employers on compliance and best practices for employment policies, as well as employee management, training, and, when…

Amy Puckett’s practice includes diverse experience in the areas of employment law and financial services regulatory compliance and contract negotiation.

In her employment practice, Amy advises employers on compliance and best practices for employment policies, as well as employee management, training, and, when necessary, discipline or termination. She represents clients against claims relating to Title VII of the Civil Rights Act, the ADA, the FMLA, the North Carolina Trade Secrets Protection Act, confidentiality and non-disclosure agreements, and breach of employment contracts. She also drafts and negotiates employment contracts, including non-competition agreements, non-disclosure agreements, and severance agreements.

In her financial services practice, Amy advises financial institutions on compliance with the regulations of the Consumer Financial Protection Bureau (CFPB), as well as other state and federal regulations. She helps clients remain in compliance with and respond to inquiries from the CFPB, state attorneys general, and state banking departments. As a member of the firm’s Banking and Financial Services team, she also negotiates vendor services contracts and consulting services agreements for clients.

Previously, Amy served as vice president of Relationship Management and Compliance for E4E Relief LLC, a wholly owned subsidiary of Foundation For The Carolinas and one of the largest community foundations in the United States. In that role, she served as the dedicated relationship manager for clients, helping set up grant programs for companies to assist their employees during times of disaster or financial hardship and providing day-to-day support, stewardship, and philanthropic counsel. She also directed E4E Relief’s contract compliance program, ensuring compliance with contractual obligations, as well as IRS guidelines and domestic and international data privacy requirements.