Article 29 Working Party: First GDPR guidance puts data portability in the spotlight

The data protection regulatory regime in Europe is in the process of being overhauled. Data protection is currently regulated in the UK by the Data Protection Act 1998. However, a new EU General Data Protection Regulation ("GDPR") will apply from 25 May 2018, following a two year implementation period.

Towards the end of December last year the Article 29 Working Party ("WP29"), an advisory body comprising national data protection officers from across EU Member States, adopted and published its first guidelines and FAQs on the GDPR. The guidelines cover the three areas outlined below and are considered by the WP29 to be of particular priority:

• The right to data portability: The guidelines clarify how organisations should interpret and implement the new GDPR right to data portability and recommend practices and tools that support compliance with this new right.
• Data Protection Officers ("DPOs"): This opinion provides further information about the designation and role of a DPO.
• Identifying a Lead Supervisory Authority: The guidelines contain detail on the identification and designation of a lead supervisory authority. This is relevant where a controller or processor is carrying out cross-border processing of personal data.

Of particular interest, the right to data portability allows for data subjects to receive the personal data which they have provided to a data controller in a structured, commonly used and machine-readable format and to transmit them to another data controller. This is a new right for data subjects - it differs from the existing right of access and is intended to "empower" data subjects, to give them more control over their own personal data. As the right enables direct transmission of personal data from one data controller to another, it is seen as a key tool to support the free flow of personal data in the EU, to encourage competition between controllers and to support switching between service providers. The guidance also recommends that industry stakeholders and trade associations work together on a common set of interoperable standards and formats to provide the requirements of the right to data portability.

Whilst having "appropriate technical and organisational measures" in place from a data security perspective is not a new concept under the GDPR, the likely rise in transmission of data from one information system to another as a result of the new data portability right, may give rise to an increased security risk - particularly the risk of data breaches during the transmission. The guidelines acknowledge this potential source of risk and confirm the data controller is responsible for taking all security measures needed to ensure that personal data is securely transmitted (e.g. by use of encryption) to the right destination (e.g. by use of additional authentication information). Such measures must not, however, be obstructive in nature or prevent users from exercising their rights. Where data subjects retrieve their personal data online, they should be made aware of the risk that their own system may be less secure than that provided by the service. Data controllers could also suggest appropriate format(s) and encryption measures to assist data subjects mitigate the associated security risks themselves.

Stakeholders had until 15 February 2017 to comment on the guidelines. The WP29 has also announced that further GDPR opinions and guidance will follow later this year, including in respect of Data Protection Impact Assessments and Certification. Organisations will, no doubt, welcome the WP29 guidance as they continue efforts to prepare for GDPR compliance.

The first three sets of guidelines and FAQs can be accessed here.