PRIV- 35 – Personal Data Portability Request

What is this control about?

Implementing the control ‘Personal Data Portability Request’ is crucial for promoting data privacy, empowering individuals, and ensuring compliance with data protection regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). This control enables individuals to exercise their data rights and gain more control over their personal information.

Data portability allows individuals to request a copy of their personal data that an organization holds, typically in a structured, commonly used, and machine-readable format. By implementing this control, organizations demonstrate transparency and respect for individual rights, fostering a relationship of trust with their customers or users.

Available tools in the marketplace

Tools:

DataGrail TrustArc

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• Leverage this Data Portability procedure example
• Data Portability Request Form template example

Control implementation

Here are some guidelines to implement an effective records of Personal Data Portability Request program:

• Identify Data Sources: Identify all the systems, databases, and applications where personal data is stored and processed within the organization. Create a comprehensive inventory of these data sources, including customer databases, CRM systems, marketing platforms, and any other relevant repositories.
• Establish Data Portability Mechanism: Work with the organization’s IT and legal teams to establish a data portability mechanism. This could include developing APIs, data export functions, or other technical solutions that allow individuals to request and receive their personal data in a structured, commonly used, and machine-readable format.
• Develop Data Portability Request Process: Design a process for handling data portability requests from individuals. This process should include the steps for submitting a request, verifying the identity of the data subject, and confirming the data to be ported. Define the timeframe within which the organization will respond to data portability requests.
• Implement Data Security Measures: Ensure that appropriate data security measures are in place to protect the personal data during the portability process. This may involve encrypting data during transmission, using secure file transfer protocols, and restricting access to authorized personnel only.
• Document Data Portability Policies: Create clear and comprehensive policies and procedures related to data portability. Document how the organization will handle data portability requests, the responsibilities of different teams involved, and the steps taken to comply with data portability requirements.
• Respond to Data Portability Requests: When data portability requests are received, follow the established process to verify the identity of the requester and provide the requested data within the specified timeframe. Document each request and the actions taken to respond.

What evidence do auditors look for?

Most auditors, at a minimum, are looking for the below-suggested action:

• Data Portability Policy and Procedures: Auditors will review the organization’s documented data portability policy and procedures. This documentation should outline the process for handling data portability requests, including how requests are received, verified, and responded to. It should also detail the timeframe for providing the requested data and the formats in which data is made available.
• Data Portability Request Forms or Templates: Auditors will look for standardized data portability request forms or templates used by individuals to submit their requests. These forms should capture essential information, such as the individual’s identity, contact details, and specific data they are requesting to be ported.

Evidence example

For the suggested action, an example is provided below:

• Data Portability Policy and Procedures

Leverage this Data Portability procedure example

• Data Portability Request Forms or Templates

Leverage this Data Portability Request Form template example