everythingpossible - Fotolia

What will GDPR data portability mean for enterprises?

Enforcement of the EU's Global Data Protection Regulation is coming soon. Mimecast's Marc French discusses the big questions about GDPR data portability for enterprises.

Data portability may be near the bottom of the list of key challenges with the European Union's new General Data Protection Regulation, but it is one more hoop that information security professionals will need to find a way to jump through. Data portability may seem simple to implement, but even the simplest aspect of GDPR can still produce surprising challenges.

Under Article 20, GDPR data portability is the right of EU data subjects -- citizens or residents of any EU member nation -- "to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided," as specified in the new regulation.

It may seem simple in theory, but the practice of complying with GDPR data portability may have some unexpected twists, especially for businesses that track lots of consumer data, like search engines, social media sites and retail websites.

Marc French, senior vice president, chief trust officer and data protection officer for GDPR compliance at Mimecast, a cloud email security company headquartered in Lexington, Mass., explained just what it will take to comply with the new GDPR data portability requirement, and the state of standards for formatting data to comply with the law.

Marc French: This is the one where the way the regulation reads it is, 'I have the ability for me to take my data with me to someone else.'

Now, there's two kinds of sticky wickets with this. One is, what does it mean to take your data with you, to where? And two, what time frame is actually outlined to get the data out?

Marc French, Mimecast CTOMarc French

If I go to Google and say, 'I want data portability, so I want you to take my search queries out,' they could probably generate that data somehow. It's unclear what format [the data would be in] because there's no central format for portability; that didn't get baked into the regulation. So every one of these vendors is going to give you something different.

And then, to what end? Say you produce for me a CSV file and I'm going to put it over to Bing. What does it mean to put it over to Bing? To what end are you actually going to port it out, and how does Bing ingest that? Is Bing going to force you to reformat that text file into an XML file so it can load it into their environment?

This is the one I think that is the most open ended now because there's really no guidance as to the formatting and the targets.

And then there's also no guidance around how long is it going to take? It [Article 20] says 'as soon as feasibly possible.' What happens if feasibly possible is six months? There really hasn't been any guidance yet as to how long it would take you.

So say you're an avid searcher, and you've got seven petabytes worth of data in Google; how long is it going to take for Google to get that out from a portability perspective, and is there an expectation that the production of anything of any size is free? Because if I had to generate seven petabytes, I don't know that I could push that to you over a bandwidth pipe. I might have to send you a CD. All those things, right now, are completely up in the air from my perspective.

I see a lot of folks, [including] my peers out there, basically holding on the portability side because it's so ambiguous right now. They don't know where to invest or how to do it because of all those open items, so a lot of folks are pushing that to the back burner until they produce much more guidance around it. They don't know how to service it, they don't know what the target is and they don't know what the time frames are. So there are so many open-ended questions now that most people are just kind of in a waiting pattern.

[As for new standards for GDPR data portability], I haven't seen anything. We'll probably arrive at some kind of reasonableness from a time frame perspective, but I'm not sure that I've seen anything or heard anything about, 'everybody's going to produce a CSV file,' as an example, in comma-separated format. I haven't seen anything like that on any of the wires or any of the guidance or any of the conversations I've had.

Dig Deeper on Compliance