The right to data portability as stipulated in the Nigerian Data Protection Regulation (NDPR) raises two essential facets. Data subjects have the right to have their data transferred directly from one controller to another and data subject can ask for the transfer of data for the use of other tasks for the performance of functions requested by official authorities or in furtherance of public interests.
The concept of data portability involves providing the right technical operations for controllers. Therefore, Nigerian companies must have these technical operabilities embedded within their procedures.
To make it clear, I paint a scenario. A data subject is frustrated with the services rendered by a telecommunication company and would like to switch to another provider. The onus is then on the initial controller to ensure that the transfer of the customer’s data to the other provider securely executed.
NDPR puts into consideration the technical feasibility of a company directly transmitting data to another controller. It gives wiggle room to a company that can’t transfer data to another controller. However, this raises a plethora of questions. How can one gauge that the company is technically incapable of transferring data? What are the yardsticks to measure the components of “technical feasibility” in the Nigerian context?
Data portability is as vital as any data subject right according to the NDPR. Getting this right might seem like a gargantuan task for companies as this leads them open to various levels of operational cost. However, if the right technical tools are in place, it will not only make the company compliant with the regulation but will also give the controller a competitive edge.
If for example, a customer is trying to move her data from her provider to the next company, and assuming that company doesn’t have the right technical and operational features to receive data from another company, it raises a problem. That means the company might lose a customer because of the non-existence of an exemplary data portability infrastructure. In other words, a good data portability structure is a two-way thing: the receiving perspective and the sending structure must be available.
Data portability allows customers to enjoy the full control of their data and therefore, propagates the rights and freedoms of data subjects. It aligns with other rights of the Data Subject Access Requests(DSAR) as stipulated in the Nigerian data protection right.
It is noteworthy to mention that data portability helps companies to minimise unfair practices of data protection management and reduces the risks of using inaccurate data for decision-making purpose, which could benefit both businesses and consumers. From this reflection, this will help companies with their data accuracy structures.
Therefore, data portability can help the company discover where inaccuracies of data within their business procedures and help them attend to these risks. It serves as an additional safeguard for data controllers in empowering data subjects to have control over their data.
The workable mechanisms for the data subject to access, modify, delete and transfer their data gives data portability a crucial position in handling data subject access request. What this means is that a robust DSAR procedure will include data portability.
Data portability can foster a more competitive market environ by allowing the customer to switch providers. It can also contribute to the development of additional value-added services by companies in that it would motivate companies to ensure that customers get the best out of their services and help them build products and services that would keep their customers. Data portability is, therefore, not only good for the data protection regulation but also for competition and consumer protection. If done appropriately, data portability could enable businesses to maximise the benefits of big data in a more balanced and transparent way.
NDPR should develop knowledge around data portability. It is a crucial element that needs elaboration and further guidance from the Nigerian data protection authority, especially with regards to the technical standards, modalities and procedures required for the transmission of personal data.