The GDPR gives individuals the right, free of charge, to access their personal data by electronic means and to rectify or delete it. They also should be able to verify how their data is processed. There is a limitation imposed that individuals may only do so at reasonable intervals. You may be concerned for the data derived from your email marketing lists.
Those who have made predictions feel that such demands will be infrequent, at least after the initial stages, but whether you are inundated or ignored, your systems will probably need to be updated or new ones developed. It will not be onerous if approached sensibly.
We will need to protect our email marketing lists and giving subscribers the right to delete their data on a whim will be risky. There are two main ways to limit such concerns.
One reason individuals might want to see their data is the all to frequent news reports of security breaches in major companies exposing personal data. If an individual is unaware of what details you hold and why one might sympathise with their concerns.
The time to explain to your subscribers what you will do with their data and, vitally, what you won’t, is when they sign up to your lists. Perhaps a link to this information in the landing page where they request access could be useful.
You will want a plan B if a significant number of subscribers delete their data. One concern is that those who ask for access might be of a certain demographic and if a substantial number of these are removed from your database, it could add bias.
The simplest way around this is to anonymise your data as much as possible. Once you have the information, if it is not personal no individual can ask to have it erased.
Remember that the regulators can demand access. Ensure that you have records of what you told your subscribers on sign up including how you will process their data. And, of course, ensure that you stick to your promises.
This won’t go away. The time to prepare to allow access to individuals is now.