Small businesses & the GDPR Right to Data Portability

Please note this information is now out of date - please refer to the ICO for up-to-date GDPR information. 

How small businesses can implement the GDPR Right to Data Portability

Your customers now have the right to request a copy of their personal data in a format understood by computers.

This request can be made by any means: written, email or verbally and you have one month to respond to any request. There is no provision within the GDPR to charge a fee for this action.

You should always attempt to verify the identity of the person making the request before proceeding - typically by having them state the full name, address, postcode and perhaps other details in the customer record prior to providing the information.

Realistically, I don't expect most small businesses will receive requests for Data Portability with any frequency. The intention of the GDPR here is to enforce larger companies, especially providers of online services, not to lock their customers' data away, especially data created on that service.

For example: if you're a Facebook user you will have created hundreds or thousands of posts on their system over the years. Your assumption is probably that your data now belongs to Facebook and that it couldn't be a taken to a competing Social Media service. By using the Right to Data Portability, you can demand that Facebook provides a copy of all of your data from their platform in a format that might be something a competitor can use to re-create your account there.

What you need to do

This Right is problematic for most small businesses as the type of computer systems typically in use won't support the data export that the GDPR is insinuating is required. You should check though, many Accounts or CRM applications do support an export of some kind - which should suffice, especially regarding being in line with the spirit of the law.

In the unlikely event you find yourself with one of these requests and with computer systems/websites with no data migration or export facility: don't panic. Start up a copy of Excel, or use an online spreadsheet, and methodically copy each piece of the requesting customer's data (name/email/telephone/address/etc.) into a separate column, making your way from left to right as needed - don't start a second row. When you're finished copying and pasting choose to "Save As" a CSV file, and send them the resulting file.

Yes, this is a painful use of half an hour - but it serves the spirit of the law, and you'll have a procedure in place should customers start to utilise their Right to Data Portability.

Ideally

If you can justify the time/cost you could create a web form that allows people to leave their details and allows them to pick which of their GDPR rights they want to exercise. It should then email you all of that information for you to act on. You can see an example here.

Of course, if you have a system that your customer can log into just make sure that there is an export function available within their Account area - your Privacy Policy could then reflect this, potentially saving you from the time lost in manually dealing with any Right to Data Portability requests.

Further details about the Right to Data Portability can be found on the ICO website here.