After years of preparation, on May 25 2018, the new General Data Protection Regulation (GDPR) has come into force. Much has been written, discussed and speculated about it. Over the past 2 years, organizations have worked frenetically to understand its implications and to be prepared for this date. In this blog we will explore whether the “right to data portability” will drastically change the data industry.
The GDPR is a regulation, not a directive, and this is a main difference with the European data protection directive in force so far. A directive gives room for national interpretations, whereas a regulation is like a national law. Apart from this important change, other relevant changes relate to:
- Geography: the geographical scope is extended to all organizations that serve users in the European Union, regardless of citizenship and of where the organizations is headquartered.
- Penalties: the maximum fine for breaching the GDPR is 4% of the organizations global revenue or €20 million, whichever is greater.
- Consent: organizations that want to process personal data, need to obtain explicit consent (opt-in) through an easy understandable and clear text, defining and explaining the purpose of the processing.
- Data subject rights including the rights to be informed, right of access, right to rectification, right to be forgotten (erasure), right to data portability and right to object.
- Data Protection Officers: the appointment of a DPO will be mandatory for organizations whose core activities consist of operations which require regular and systematic monitoring of data subjects on a large scale, or of special (sensitive) categories of data.
- Breach notification: breach notification to the supervisory authority is mandatory within max 72 hours, and if the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, individuals must also be notified without undue delay.
In this post, we will talk about one of the less known new rights of citizens, namely the right to data portability. This right has not received too much attention in all discussions around the GDPR. However, we believe that it might be a future game changer for many industries.
The right to portability allows individuals to obtain a copy of their data and to reuse it for whatever purpose they see fit. They could use it just for their personal interest; or to transfer their data to a new service provider such as an electricity or insurance company. The new service provider would then “know” the new customer from day one. Not all personal data a company has about a customer falls under the right to portability. Covered are:
- The data the customer has provided to the service provider, such as name, address, bank information, etc. and
- The “observed” data that the service provider sees based on the customer’s usage of the service such as the KwH consumed, claims made or financial transactions made, etc.
What is not covered is any information the service provider infers about the customer. For example, a company may use a Machine Learning model that assigns a score to customers reflecting the likelihood they will leave the company. This inferred “churn score” does not fall under the right to portability.
Organizations that have prepared for this might have asked themselves the question of how many customers would exercise their right to portability. This is important since a low amount (in the hundreds) might be manageable in a manual way, whereas a large amount (e.g. in the ten thousands or even more) might require automation of the process, and therefore investment. There are usually two approaches companies have used to estimate the number of expected requests:
- They compare it with the right to access data, which is already a right under the current data protection directive, and assume similar amounts as today. In general, very few people exercise their right to access data, and most of the companies handle those requests manually.
- Another way companies use to estimate the number of requests for data portability is the (voluntary) churn rate of their customers. Customers that decide to change service provider might see a benefit in bringing their personal data to the new service provider because that makes the onboarding process easier; no need to fill in lots of information. Moreover, the new service provider can look at the usage behavior and give tailored services to the new customer from day one of the relation. Not all customers that churn will however chose to port their data. For instance, in the insurance industry, customers that have submitted many claims, might want to keep that information away from their new insurance company so that they are not penalized with a higher premium.
In most cases, those two approaches have led organizations to believe that the right to portability will not be exercised too much, and therefore they have considered no specific investments to prepare for massive portability requests.
In the short term, those organizations are probably right, and have taken the right decision. However, we think that this particular right might have a huge impact on many businesses across many sectors.
Here is why…
The right to data portability also means that users can request service providers to directly transfer their personal data to other service providers. Moreover, users can authorize third parties to file the requests on behalf of them. And this is the point that might have a game changing impact on the data industry. Imagine that Amazon reaches out to all its customers to suggest that they authorize Amazon to file a data portability request on behalf of them to port their data from all their service providers (e.g. insurance, utilities, telecommunications, etc.) to Amazon. In return, Amazon promises to all customers who agree, to provide them with a better and cheaper alternative service, and significant discounts on future purchases. If Amazon were to offer telecommunications and insurance services, then through this campaign, Amazon could acquire many new customers. But more importantly, Amazon would have access to the personal data of all those users who accepted Amazon’s offer and could start creating value from this data. If this happened at a massive scale then, suddenly, the private data of the “left” service providers would have lost its uniqueness and thus would have become less differential. If we take this scenario to the extreme, then we might imagine a data war between companies to gather as much personal data as possible, and all in a way that is fully compliant with the GDPR. In the end, users are just exercising their right to data portability.
Seen like this, it looks like a major threat for companies that are currently exploiting their propriety data for business because it is differential data; only they have access to this data. Notice, however that it can also be seen as an opportunity. Any organization could try to convince customers to port their data to them, and thereby increasing their customers and/or their data assets. If such a scenario happens, we think it is likely that it will be started and led by the likes of GAFAs and/or startups.
Of course, this scenario will not happen overnight. Several things need to be in place for this scenario to become realistic. First of all, the GDPR already mentions that the data needs to be ported in a structured (e.g. columns and rows), commonly used (e.g. CSV) and machine-readable format. A second requirement is that data portability should be an automated process powered by APIs. This makes it similar to the PSD2 regulation (Payment Services Directive) in the financial sector, that obliges banks to open their customer information through APIs to support so-called Open Banking. In this scenario, customers can tell the banks to give access to their financial data to third parties who can then provide them with additional value or even transactional services. Banks might see this as a major threat, but they shouldn’t forget that they might charge for API usage and thus create a new revenue stream. Together, the GDPR’s data portability right and PSD2 might significantly change the banking and data industry.
But neither automation nor APIs are sufficient for the scenario to work. What is still needed is a standard format to interchange data. Otherwise, a lot of effort needs to be done on the receiving side before the data can be processed. So apart from the data being in a structured, commonly used and machine-readable format, it also must be in a standard format. Only then, ecosystems can scale in a transparent way, with a possibly game-changing impact.
With this in mind, there are three possible scenarios to consider:
- No standard – Each organization ports data in its own format, and receiving organizations need to build translators from the source format to the destination format. This will cause much data integration work, but on the other hand, it could start today.
- Sector standard – The different organizations of a sector define on a commonly agreed sector format. For instance, all major telecommunications companies in a country could come together to agree what data fields to interchange and what the format should be. Examples of this include the so-called Green Button in the utility sector in the USA: “The Green Button initiative is an industry-led effort to respond to a White House call-to-action to provide electricity customers with easy access to their energy usage data in a consumer-friendly and computer-friendly format.” Another example is the so-called Blue Button for the healthcare sector, also in the USA: “The Blue Button symbol signifies that a site has functionality for customers download health records. You can use your health data to improve your health and to have more control over your personal health information and your family’s healthcare.”
- Universal Standard – This is a cross-sectorial approach that tries to come up with a universal standard for data portability: the Rainbow Button: “The ‘Rainbow Button’ project has been initiated … by 8 leading companies …., in order to define a common framework for the deployment of the ‘portability right’ as described in the GDPR and the guidelines to data portability provided by WG29 in April 2017.” According to Fing, the organization that started the Rainbow Button initiative, “The regulators confirm that the right to data portability is at the heart of the creation of a data ecosystem and the services of tomorrow, based on new data usages initiated and controlled by the data subjects. The target is not limited to switching services (churn), but really to spark the creation of a new range of services based on data.” Another important initiative promoting the same approach is “midata” in the UK.
When all these requirements have become a reality, then the impact of the right to data portability will have a game-changing impact on the data industry through the creation of thriving data ecosystems, where data can float freely around in a transparent way, and always under strict control of the users.