Data Portability


A core principle behind the GDPR is that personal information is the property of the data subject. This principle is embodied in two key rights: the right of access to data and the right to data portability – in essence the right for an individual to take their data with them or to transfer it between providers of goods and services.


The GDPR is specific on how the right to data portability should be implemented.

It specifies:

  • data should be provided ‘without hindrance’ – i.e without undue process, delay or cost to the data subject
  • data should be in a commonly used format
  • data should be transferred either direct or to another provider at the individuals request

Further guidance specifies that an individual should be able to receive:

  • data they have actively provided; name, address etc via forms and interactions with your organisation.
  • information generated by the user in the course of their activity on or use of any systems or service.

How to:

Implementation of the right to data portability will require IT expertise and experience. The requirement to export data in a suitable format can become a very complex operation when trying to achieve this across multiple systems and repositories.

There are a number of steps that will need to be taken, many in conjunction with your IT provider:

  • Identify what systems you have and what data is stored on them
  • Have processes in place for an individual to request their data
  • Be able to track where data has been sent and who requested it
  • For each system/data set, identify a common export format. This will typically be an XML/CSV file or similar but could equally be another data format if there is a common software in your industry (ask you IT provider for advice). It is unlikely that this export would be a PDF or other flat/fixed format as the GDPR states that the exported data needs to be machine readable – in essence another provider should be able to import the data.
  • Ensure that you can make a direct transfer of data to another organisation if requested to do so by the individual
  • Provide a direct download route for the data subject

Guidance published by the European Data Protection Board also requires that you inform the individual about the security risk of having their data. Whilst you may have stored the data in a very secure manner, once transferred, the individual may not and they should be informed that this less secure situation could arise without appropriate steps being taken by them.

Common Scenarios:

A user wants to know more about their usage of your service

  • Provide the individual with details of their activity within your system – so far as it can be associated directly with the users personal information

A user has built a list of contacts/information on your

  • Provide a facility to give the user an export of the information they have built on your system

A individual want to move to another supplier

  • Send the personal information you hold on that individual direct to the new supplier in a commonly used format


  • GDPR Recitals: 68, 73
  • GDPR Articles: 2, 15, 20

How Gydeline helps

We, at Gydeline, help small and medium sized organisations save money and time by building systems, processes and policies that simplify their business and support their sustainability aims.  We do this with a range of services.

If you would like to discuss any aspects of dealing with this and other risks in your business we are always happy to offer some, free, no obligation assistance – just contact us.

Related Posts