The Right to Data Portability, in Plain English

What portability actually means

Data portability is one of the rights set out in the UK GDPR. In plain terms, it lets you take the personal data you have given to an organisation and either receive a reusable copy of it yourself, or ask for it to be sent directly to another organisation where that is technically feasible. The point is reuse: you should not be locked into one service simply because your information lives there.

The format matters. Portability asks for data in a structured, commonly used and machine-readable form, for example a CSV or JSON file rather than a scanned image or a screenshot. That is what makes it different from simply being shown your records: the aim is information you, or another provider's system, can read and load again.

This article is general information, not legal advice. Your situation may have specifics that change how a right applies, and the right way to resolve a dispute is with the organisation or, if needed, the Information Commissioner's Office (ICO).

• Applies to personal data about you
• Delivered in a reusable, machine-readable format
• Can be sent to you, or to another provider where feasible

Where the right starts and stops

Portability is narrower than people often expect, and knowing its edges saves frustration. It applies to data you provided to the organisation, and only where the processing is based on your consent or on a contract with you, and is carried out by automated means. Data the organisation worked out about you on its own, or that it holds under a different legal basis, may fall outside it.

Practically, this means information you typed into a sign-up form, your contacts in a service, your activity logs, or readings from a device you use can often be portable. Conclusions an organisation drew about you, or paper records, generally are not covered by this particular right, although they may still be reachable through the broader right of access.

If portability does not fit, the right of access usually still does. A subject access request gives you a copy of your personal data more broadly, even if it is not always delivered in the neat, reusable format portability promises.

• Covered: data you supplied, processed by consent or contract, automatically
• Often outside it: data the organisation inferred or derived about you
• Often outside it: data held under other legal bases, or on paper
• Still an option: the right of access for a broader copy

How to make a portability request

You do not need a special form or a lawyer. A clear written request to the organisation is enough, and it should respond without undue delay and within one month, though it can extend that for complex cases and must tell you if it does. There is normally no fee.

Keep your request specific and easy to act on, and keep a copy of what you sent. If you want the data moved directly to another provider, say so, and understand the receiving service has to be able to accept it for that transfer to happen.

• 1. Identify the organisation and the specific data you want, for example your account history or contact list.
• 2. Put the request in writing and state that you are exercising your right to data portability under UK GDPR.
• 3. Say whether you want a reusable file sent to you, or the data transferred directly to another named provider.
• 4. Confirm your identity if asked, so the organisation can be sure it is releasing data to the right person.
• 5. Note the date; expect a response within one month, and keep your copy of the request.
• 6. If you get no adequate response, you can raise a complaint with the ICO.

Frequently asked questions

Related terms

• GDPR (General Data Protection Regulation)
• Personal data
• Data controller
• Data Subject Access Request (DSAR)