Data portability: the hidden GDPR risk your business needs to cover

Downloading your personal data – who’d have seen it as one of 2018’s top trends? Journalists from The Telegraph to Elle have been downloading their data from the likes of Google and Facebook to see what the tech giants know about them. We’ve seen it happening across the world, all thanks to GDPR.

The right to data portability is one of the most fundamental, but also most contentious rights within the GDPR. Whilst we saw parallels between the Data Protection Act and GDPR, data portability was a brand new requirement for businesses.

With the aim of giving consumers ownership over their personal data, Article 20 reads:

“The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided”.

 In an attempt to be GDPR-compliant, businesses scrambled to put together some form of data portability. But despite aiming to benefit consumers, they are instead being put at risk. Businesses have been focusing on how they can execute data portability in a way that’s practical for them – not what the individual needs to receive, safely store and use the data they’ve requested. This in turn opens up a whole host of vulnerabilities for data misuse.

There are three main issues relating to data portability: usability, context and security. Article 20 makes is clear that consumers need to receive their data in a structured and readable format, but this still isn’t happening. Data is being provided in difficult-to-decipher spreadsheets – making it hard for consumers to do anything with them. This in turn leads to a lack of context for consumers. If you download your Facebook data using their tool, there’s no simple way of aggregating it with your other personal data to create a full picture of your digital life.

On the security side, current processes are forcing consumers to take responsibility for something they aren’t qualified to do. The average consumer does not have access to the right technology to safely store their valuable personal data. Security is paramount in keeping both your reputation and your consumers’ personal data safe. Current tools are falling short of what is required by law, and what is expected by customers. Instead, consider an option that enables you to give user data back to them in way that is secure, private and usable – as this benefits both the individual and the business.

Whenever you consider putting data portability on the backburner, remember, it’s here to help, not hinder SMEs. Data portability lets individuals simply move their data from one service provider to another, if your offering is better than your larger competitor’s, it’s easier for consumers to switch and share their information with you. Now, more than ever, SMEs have the chance to compete for customers on a level playing field.

It’s time to put yourself in the shoes of consumers – would you want to download your data if it wasn’t at all safe? Your business has survived three months of GDPR, and now it’s time to start focusing on the finer details to make sure you’re doing it in a practical way for your customers too, preventing any headaches further down the line.



By Julian Ranger, Founder,

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.