Is GDPR Failing To Deliver Data Portability?
Six months in, and it is difficult to separate GDPR theory from GDPR reality. So I decided to find out for myself.
As a self-confessed data geek, I have long had an interest in the concept of ‘data portability’.
That is to say, from the data subject perspective, being able to ask an organisation who holds my data to give me a copy of that data, ideally in a ‘machine readable’ format that I can then use for my own purposes, including sending it to another organisation.
Over the years I got involved in a few projects with that aim. www.dataportability.org was an early one that made some headway but gained little traction in terms of causing real data to flow. U.K. Government also created one such organisation called MiData that showed promise.
It turns out however, that there is one gigantic problem stopping data portability emerging at scale: Organisations don’t want it to happen.
That’s understandable, I guess; They are thinking, ’why would we want to freely give away an asset that can then be used against me?’ Sure, there have been a few examples of corporate arms being twisted into doing something in the area; especially where monopolies can be protected by putting a few crumbs out there. But I would guess that data currently seen as genuinely portable in an appropriate format would be a tiny proportion of what it could be.
I had great hopes that GDPR would change all that. The regulation is very clear.
The UK Information Commissioner’s web site says this about Data Portability:
The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller.
Seems pretty clear what is required, right?
So, being that data geek, I decided to test the theory. In the last 2 weeks, I have submitted 25 data portability requests to 25 organisations that I know I have given data to.
Let’s leave their names aside for now (I will post a full table when i’ve received and tabulated all the results); suffice to say that all are more than big enough to have robust GDPR processes in place.
I started my request process at www.datarightsfinder.org ; I figured that as the ICO had backed the site then it would likely be accepted by the recipient organisation, even though their request will most likely amount to a simple email to the relevant party (the DPO in most organisations). I then extended my requests beyond those organisations listed on the site; I used the standard email format and found the DPO email address on the subsequent organisations’ privacy policies.
What happened since then has been quite surprising. Of the 25 data portability requests, I have had:
- 2 responses that I’d regard as comprehensive and in a modern machine readable file format
- 5 responses that have sent one or more .csv files; which I guess might be machine readable in the loosest definition
- A signiificant number who have not responded at all as yet
- A LOT of confusion, many organisations seemed to assume my requests were subject access requests, even though they were clearly marked ‘data portability request’
- On multiple occassions I have been passed from pillar to post trying to find the right legal entity
- Further confusion about what level/ nature of proof of identity I was required to send and how in order to access my data
One other interesting anomaly has emerged, regarding my home gas and electricity provider. Ironically, that sector, having been a target of the UK Governments MiData project a few years back, should be well geared up for meeting data portability requests.
What should happen:
- I click on the MiData link below
- I am delivered to a standard formatted .csv file with my account details and 12 months summarised energy use.
Here’s what I actually experienced, repeatedly. It’s been like that for the last few days.
Call me a cynic, but do you think that is a genuine and ongoing technical problem? Or is their system programmed to know that I went out of contract last week and thus, if I’m downloading Midata, I’m looking for alternate quotes?
On this early evidence, it appears that GDPR has made little difference to my ability to port my data either to myself, or to others.
That’s not good.
And it certainly does not make me feel like GDPR has put my data back into my own control.
That needs to change. And here’s how:
Data portability, subject access requests or general data availability can be enabled in a particularly efficient way via the JLINC protocol and personal data service. The diagram below illustrates how it works.
Phase 1: The individual (let’s call her Alice) asks for her data
In doing so she articulates the fields she wants and the format – by pointing to an online, machine readable schema. For the technical amongst you, we have re-invented the original MiData energy data scheme as a JSON-LD document, a universal standard machine-readable form. The JSON-LD context document we have created for this is at https://protocol.jlinc.org/context/midata-energy.jsonld and refers to the definitions hosted at https://protocol.jlinc.org/midata-energy-schema/. Once in this form, we can enable data portability by translating it out into any other form as required by any other provider.
Phase 2: Portability is achieved
JLINC gives Alice direct, real time access to the data held by her supplier, and in effect a copy of that data is made in her own JLINC-enabled data store. there is no export/ import of data as such, instead, Fine grained access to data is enabled; both parties agree what data and related permissions (e.g. read/ write/ edit/ delete) will be in place, and a complete audit trail of who did what with the data within the system is automatically generated.
Phase 3: Alice sets up a separate JLINC information sharing channel
She adds the potential suppliers with whom she wishes to share her data. This works the same way as Alice’s view onto her incumbent supplier data-set – in real time, always on, fully permissioned with an audit trail.
Based on my own experience of data portability above (with more to come over the next few weeks), this JLINC enabled model offers many advantages not currently available, well, anywhere. Importantly, what works above in the Energy sector works equally as well in other sectors. As each new schema is made available, the individual at the centre or their own data eco-system becomes more and more empowered. They, and only they are able to aggregate and blend their various data feeds and onward share, all the while retaining persistent data sharing instances with each individual supplier. To find out more or discuss with one of the team, drop us a note at info at jlinclabs.com or use the Contact Us web form at https://www.jlinc.com/