Every email marketing company should know the difference between personal data and portable data. One you should avoid transporting, the other is mandatory to send if requested.
The GDPR allows individuals to demand and reuse their personal data for their own purposes. The premise is that they might want to transfer their data to another similar environment in a safe and secure manner. This would allow individuals to test prices, services and delivery across various providers.
In other words, you have to share. You probably think this is a bit harsh, but then they have willingly shared it with you. All they want to do is share it with someone else. There are a few conditions which are deceptively simple:
1/ The individual may demand a copy of their personal data;
2/ In addition to, or instead of, 1/ above they may request that their data be transmitted directly to another data controller.
3/ The data must be provided in a structured, commonly used and machine-readable format (this excludes paper files). An explanation of what is meant by such formatting is available on the ICO website;
There are various methods you might choose to transmit the data. You could send it to the individual or allow them via a tool to access the data themselves. In both case the systems must be secure, not only to ensure others cannot access the data but that the individual does not gain access to the data of anyone else.
It would seem essential that you establish systems to ensure you comply with the requirement and that it is completed swiftly, or in the words of the GDPR, without hindrance. What this means is that you must not place any obstruction in the way to delay transmission of the data.
The right applies to personal data that the individual provided to you, but the definition of ‘provided to you’ is rather wide. You will have started with certain data that you included on your email marketing list but as time has passed, you will have further information, such as website usage, location data, items they’ve purchased and similar data. See the ICO website for more detailed conditions.
It does not include data that you have calculated or inferred from such information, e.g. a user profile. If, however, they make a subject access request then that data must be provided. You may feel that you might as well include such data, so the systems you create should have options to include data that is not required under the GPDR should you so wish.
Depending on how you store such data, it might include information on others. In that case, you need to consider if it would adversely affect their rights and freedoms. If so, you will need to seek permission from the other parties before you can transmit such data.
If you refuse a request on such grounds then you would have to justify your reasons and the systems which caused such a problem.
The right to demand portable data does not only include email marketing lists. It is all personal data.