Skip to main content

How Data Portability Can Be Managed Securely

Copado DevSecOps - Blog Series

Originally published by New Context.

Data portability is a concept that centers on access because it prevents information from being trapped in a single program. Data isolation makes it challenging to create backups necessary for system continuity and prevents users from moving platforms as they choose, so mobility is a necessity. However, providing essential access comes with its own set of challenges.

Any company handling a request related to data portability must send it securely. Simultaneously, security can’t interfere with the user’s ability to access it and understand the information. Managing this requires the strategic use of encryption, access control, and monitoring.

What is Data Portability?

Data portability is the right of consumers to migrate data from one platform to another. It prevents individuals from being tied to one provider because of silos. Companies respond to data requests in several ways. They may provide a downloadable zip file. They may offer specific export tools, or they may transfer the information directly to the new platform. All of these are acceptable methods.

Many acts and data regulations cover a consumer’s right to access and move their data. Perhaps the most prevalent is the European Union’s General Data Protection Regulation. The law was implemented in 2018 and covers various aspects of consumer data management, including protection requirements and collection limitations. It also addresses data portability requirements.

Data Portability and the GDPR

While there are many different requirements to data portability based on region, one of the most all-encompassing is the GDPR. It applies to any enterprise that processes data for individuals in the European Economic Area, regardless of the company’s location. As a result, many domestic companies must meet its requirements.

Data portability in the GDPR is defined under two separate sections: access and explanation.



Access indicates that the consumer can obtain their data—however, it does not specify that the information must be human-readable. As data transfers usually occur between two platforms, this is rarely an issue. If anything, raw data makes the transition easier. However, the addition of human-readable requirements is likely, so it’s wise to plan. This section centers on data used to make a decision. Credit reporting provides a very similar example. If a consumer applies for a loan and is denied, the agency must—upon request—provide a copy of the credit report that impacted the decision. The GDPR has a similar provision; only it applies when an automated program uses data to make a decision that has a legal or significant impact on the user.

Just because a company is required to provide information on request does not mean they can do so in any way they wish. They still should protect that data from bad actors.

What is Data Portability? - Copado

Securing Data While Maintaining Access

When it comes to data portability, companies have to manage three specific obligations:

  1. They have to verify the person requesting the data is who they say they are.
  2. They have to ensure its security as it transfers from one space to another.
  3. They must preserve that data’s security and integrity through all steps.

Access control is best managed through multifactor authentication (MFA). In this, the user needs to prove their identity through knowledge, possession, or inherence. Informally, these three points are often considered something only the user has, knows, or is. Examples of all three would include a text message pin code, an answer to a security question, or a fingerprint scan. Adding this additional step ensures the company completes its due diligence in verifying the identity of the requestor. These steps can be achieved using authentication apps, like Google Authenticator or a physical security key or token, like YubiKey or RSA SecurID.

Encryption is a vital point when it comes to data transfer. Data is particularly vulnerable when it moves from one point to another, so encryption ensures that if it’s interrupted in its flow from point A to B, it’s not readable. When it comes to sending data directly to the user, encryption is still possible. They need a key to decrypt it and make it human-readable on receipt. Access control is also a vital part of any encryption process, as is regularly rotating these keys to stay compliant with requirements from agencies like the PCI Security Standards Council.

Maintaining data integrity is all about monitoring. Immutable records allow a company to control who uses the data and see where changes occur in the pipeline. They also help them discover issues earlier to restore backups if data is inappropriately updated.

MFA, monitoring, and logging ensure that companies can meet data portability standards without risking the security of their users. Building these three functions into programs will also allow companies to scale them and manage changes as requirements are updated. Data portability guarantees consumers access to their data, but innovative companies go the extra mile to share it safely.