Dataccess: for consistent and positive portability (#GDPR)
The right to portability of personal data introduced by Article 20 of the General Data Protection Regulation (GDPR) is undoubtedly the one to which companies are currently the least prepared.
It creates an obligation that goes well beyond the mere protection of personal data, and extends to their reuse by the individuals they concern (the “data subjects”). For companies accustomed to considering these data as jealously guarded assets, this is a huge change. But what data should precisely become portable? For what purpose, and how should their availability and reuse be organized?
There was obviously a need to help companies figure out what portability meant for them. This was the first objective set by the companies gathered around the Dataccess project, led by Fing within the broader framework of the MesInfos program.
MesInfos is a bit of “portability before portability”. This project brings together many partners to explore the concept of Self Data: enabling individuals to become masters of their data by retrieving them from the information system of organizations with which they are in contact, by storing them in secure spaces where they can administer their data and especially by deriving value from them through third-party services. http://mesinfos.fing.org/english/
We also chose to go further. By defining common specifications, usable by any type of organization, we wanted to turn the exercise of the right to portability into a positive moment in the relationship between organizations and individuals (customers, users, employees …), as well as into a source of value creation.
We therefore set out to develop guidelines for an implementation of portability that is both user-centric, and consistent from one company to another. We have set a reasonable, but significant, level of requirement that could ultimately lead to the emergence of a Dataccess label: the label for “data-responsible enterprises” ‘or organizations), who believe that to make portable data available under good conditions is part of their commitment to the individuals with whom they are in relation.
The Dataccess specifications are organized around the “user experience” of portability. Having covered that, they also try to answer some of the most frequent practical questions that companies ask themselves: how to delimit the perimeter of portable data? Can we put conditions on their availability? What to do once the data has been ported, possibly to a third-party service? How do rights and responsibilities circulate along with the data? …
The resulting document is published under a Creative Commons license, in order to promote its implementation by the largest possible number of organizations. It is only a first version: some less urgent topics have not been treated (we propose a backlog list at the end of the document), more will emerge during the first implementations.
Fing does not, however, intend to manage the evolution of Dataccess which is potentially not just a specification document: should it become a label and if so, who will award it (and withdraw it)? Is there a directory of data-responsible companies, of available data and / or services? Should there be specific outreach and training actions?…
It is now up to the data-responsible companies and public organizations to take over, either nationally or on a larger scale. For now, we are proud to provide you with one of the world’s first collective works towards a positive, consistent and ambitious implementation of the right to portability.