2018, now underway, will be marked at the corporate level by the incipient application of the General Data Protection Regulation, or GDPR. May 25th is the deadline by which all EU Member States, institutions and companies must comply with this new and demanding piece of legislation, binding on any European citizen having control over personal digital information.
To this end, the regulation requires that all companies operating in the European Union establish security controls in order to protect the storage of their customers’ data. The law also recognises users’ right to have their data erased, and a new right to data portability.
In essence, the latter will allow users to receive the personal information that they have provided a service if they so wish and, in addition, dispose of them in a format apt for their transmission to a different service.
Logically, email providers are among the companies that are to send this information to users so that it can be easily transferred to a third party. We explain in detail what this right to portability consists of, and how ShuttleCloud can help any email provider meet its obligation.
What is the right to portability?
The right to portability that companies responsible for data processing must guarantee before mid 2018 is set down in Article 20 of the GDPR as follows:
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where (…) the processing is carried out by automated means.
In exercising his or her right to data portability (…), the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
In essence, the right to portability provides users with the ability to obtain and reuse their data in different services, such that they can move, copy or transfer personal information unimpeded.
This right encompasses, therefore, two different aspects that companies have to take into account. Firstly, users have the right to receive that information in a “structured, of common use and in mechanical reading” format so that they can store it on their device and manage it in a simple way. Second, they must be able to transmit their personal information from one company to another “without impediment”.
Now, what companies have to comply with the requirements of the GDPR and, in particular, manage the personal data of an individual in a usable and transferable way? A report published in the European Journal of Law and Technology states that the right to portability will apply to social networks, search engines, and online stores, in addition to photo storage and email services; everything from large companies (such as banks, pharmaceutical firms and airlines) to the smallest enterprises must meet these requirements.
In fact, violating the requirements of the GDPR can cost organisations dearly, as one of the major developments in the new regulation is the toughening of sanctions.
They will be divided into two ranges. Fines could reach up to 20 million euros, or the equivalent of 4% of corporate turnover the previous year (whichever is larger) for the most serious infractions, such as not having sufficient consent from customers to process their data, or not meeting Privacy by Design requirements.
The law calls for fines of up to 10 million euros, or 2% of the company’s revenue, for those that break rules such as not having their records in order, not informing the supervisory authority of a security breach, or not conducting impact evaluations.
How ShuttleCloud helps you comply with the GDPR
The new data protection regulations, thus, empowers EU citizens: if a user has a virtual mailbox with a certain email provider, and wants to switch to another, the new provider contracted must be able to ask the first for his stored information, in order to be able to transfer it to the second one in a simple way, without losing contacts or emails along the way.
ShuttleCloud, thanks to its email and data migration technology, can help email providers that operate in Europe comply with the new GDPR. But, what can we offer to ensure that email providers comply with the law’s data portability provision?
Thanks to our current technology, a user who wants to transfer his data (emails and contacts) from email provider A to a new one, B, must simply provide us with the data on the new provider. You can check it out on the following email migration portal that ShuttleCloud has developed for Stanford University: the client just indicates the username and password of his old email service.
With these credentials, ShuttleCloud will be responsible for accessing the service (provider B) and will automatically migrate to the provider, on its own and in a secure manner, all the content stored by the user in his email into his new mailbox, along with his contact list, through our API.
Here you can see the complete process to migrate emails and contacts from other providers to Gmail using our technology. For more information on how ShuttleCloud integrates into the services of different clients, see this article.
With this simple procedure and ShuttleCloud’s technology, any email service provider can fully comply with the portability regulation governing this type of data as set out in Article 20 of the new European GDPR law. We guarantee the integration and migration of over 200 email providers around the world, and our clients include some of the most important email services in the world and on the US market, such as Gmail and Comcast.
If you are an email provider operating in the European Union, you must take action to comply with the GDPR. You will have to meet the requirements allowing your clients to enjoy the right to data portability, and ShuttleCloud can help you do this.
Are you an email provider that needs help with data portability and the GDPR? Contact us. We will be happy to help you so that you can comply with the European regulations entering into force on May 25. Write to us at: firstname.lastname@example.org.