How (not) knowing the data subject rights impacts your business

Katarina KarmazinovaGeneral

GDPR impact

How (not) knowing the data subject rights impacts your business

Under the new legislation, companies and cloud-software providers won’t be able to get away with just stating “By using this site, you accept cookies” anymore.

Without an explicit affirmation from your users, your business simply doesn’t have the consent to use any user data for marketing purposes. This includes the data you already have.

How well do you know your data? And why does it pay off knowing the rights of the data subject?

Don’t make a €20 mil mistake…

If a threat of a possible admin fine coming up to €20 million or 4% of your global turnover (whichever is higher), doesn’t sound scary enough, maybe you shouldn’t ignore the possible damage of your business reputation. Any damage resulting from non-compliance can make your business appear as unsafe for your customers’ data in the digital marketplace.    

In order to be able to keep processing your user data aligned with the new rules of GDPR, it is crucial to learn what their actual rights are. Knowing them will help you find ways to respect them without hurting your business and improve your users’ browsing experience at the same time. It is a win-win. Just keep reading…

Moreover, with the right approach, you can turn a seemingly scary challenge into an opportunity to build better relationships with your customers – something that any business should aim for and continuously depends on, regardless of the new laws.  

The right to be informed

Data subjects have the right to be provided with information on

  1. the identity of the controller
  2. the reasons for processing their personal data and
  3. other relevant information necessary to ensure the fair and transparent processing of personal data.

A good tool will help to map your data

To ensure you abide by this rule, you have to map your data.

Where does your customer data flow and how is it processed? You should now be able to explain clearly on your website:

  • how
  • by whom
  • for which purposes and
  • how long is personal data being stored.

This way you will not only be in control of your data, and ensure you are compliant, but you will also take a clever step to keeping your users.

If your email database doesn’t comply yet, you will simply get consent again. Exponea can A/B test different scenarios and figure out more effective ways of getting that consent. By personalizing, automating and A/B testing the marketing communication will effectively preserve your existing, momentarily non-compliant, database.

With the right tool you can think beyond the requirements of GDPR and take all marketing goals, as well as your own goals into consideration.

Exponea on best consent getting ideas

Now, here is a chance to shine. There are many ways to get your website visitors’ consent without scaring them off. So how can you play around with the slickest consent getting ideas until they are tailored to perfection?

The secret is to present the information in the cookie as beneficial to the customers as it gets collected, to make them feel secure, informed and happy to consent. Be upfront with your customers about using their data, where and for how long it will be stored. Be clear about how exactly the customer benefits from their data collection.

Here is just one example of a notice (web-layer, cookie notice) that pops up within 5-10 seconds after the user enters our webpage for the first time:

“We are happy you are here. Help us understand what your preferences are by enabling cookies so we can help you find relevant information as soon as possible. Should you not enable them, you may still use our website. However, we can’t improve and tailor your browsing experience based on your interests or location.”

You can also add a non-invasive formulation offering both consent and opt-out button: “Yes, customize my browsing experience” and “No, thanks.” (Alternatively: “No, don’t optimize my browsing experience”)  

The right of access

Part of the expanded rights of data subjects outlined by GDPR is the right for data subjects to obtain from the data controller confirmation as to


  • whether or not personal data concerning them is being processed,
  • where, and
  • for what purpose.


Further, the controller shall provide a copy of the personal data, free of charge, in an electronic format.

This change is a dramatic shift to data transparency and empowerment of data subjects.

Exponea holds your data in one place

Exponea customer profile means that you already have all the information about the customer in one place, which makes providing data a piece of cake.

If you have all the data in Exponea, you can refer to data mapping to double-check if you are compliant.

Exponea additionally allows you to download customer data using data API in JSON format, which is easily transferable.

We can export data, move them and explain the purpose – make them easily accessible and be able to explain what is what.

This way you can use and share your GDPR compliant and tidy database ad hoc for any client that would enquire about it. You might also be able to export the GDPR compliant data from it.

The added value in this is that the GDPR compliant database is usable and exportable elsewhere, with no risk of getting a hefty fine.

The right to rectification

Controllers must ensure that inaccurate or incomplete data is erased or rectified. Data subjects have the right to rectification of inaccurate personal data.

Exponea enables you to amend data

To make your customer service ready to handle hundreds of manual rectification requests, you can ensure the users are easily able to change inaccurate or incomplete data in their profile.  

You can easily update existing data inside Exponea from a profile page, or a freshly prepared landing page for managing consents.

The right to erasure

Also known as Data Erasure, the right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.

The conditions for erasure, as outlined in article 17, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such requests.

Delete data without losing track  

Apart from being able to delete customers from Exponea using Data API, you can automate data deletion across all platforms by using scenarios and webhooks.

Since you will be deleting all data, even events, you may lose historical trends and revenue data, which makes it hard for you to do meaningful YoY comparisons and analysis. Anonymization of data would allow you to still see aggregate metrics, as events would be assigned to a new random cookie and personal information would be deleted.

If you publish any private data that can be, for example, looked up using Google or any search engine, the right to erasure gives you additional obligations. If in this case user requests erasure of data is made public, you have to undertake “reasonable steps” to inform other controllers, processing the data in question, about this.

The right to restrict processing

Data subjects have the right to restrict the processing of personal data (meaning that the data may only be held by the controller, and may only be used for limited purposes) if:


  • the accuracy of the data is contested (and only for as long as it takes to verify that accuracy);
  • the processing is unlawful and the data subject requests restriction (as opposed to exercising the right to erasure);
  • the controller no longer needs the data for their original purpose, but the data is still required by the controller to establish, exercise or defend legal rights; or if
  • verification of overriding grounds is pending, in the context of an erasure request.


Flag the restricted data

In case this happens, the data has to be removed from the filing system or from a public website in order to avoid further processing.

You will be able to flag the questioned data in a way that it is clear that the processing has been constrained, with certain timestamp. No additional data will be processed without re-gaining consent or fulfilling other legitimate basis for processing.

The right to data portability

GDPR introduces data portability – the right for a data subject to receive the personal data concerning them, which they have previously provided in a ‘commonly use and machine readable format’ and have the right to transmit that data to another controller.

Solve it with a ready template

Data subjects can now ask whether we possess their personal data and what kind of data. They can ask for copies or have it transferred to a competitor in a portable format (JSON). Exponea uses JSON (Java Script Object Notation), a lightweight data-interchange programme.

If this happens, you can have a template response email ready. If your customer service team knows how to respond, they might even leverage the situation and re-establish the relationship with leaving customers.

Perhaps offering them a perk or reminding them on some added value created by your service to them, you can make them stay – and boost the mutual interaction.

The right to object

Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data, where the basis for that processing is either of public interest; or legitimate interests of the controller.

It is about plain language disclosures

Controllers have to disclose how long the data will be stored and inform data subjects of the right to withdraw consent at any time, request access, rectify or object to processing, or lodge a complaint with a supervisory authority, according to article 13.

The disclosures have to be easy to access and written in plain language adjusted to the audience. Hence, statements designated to children have to be formulated in a way they can understand.

When designing our disclosure, we have to make sure the statement is readable and watch out for very long sentences, passive voice, adverbs and hidden verbs.

You don’t need to ask for consent in order to process the user’s order. However, you should ask whether you may use personal information for anything else. If there are more purposes you may use the information for, you have to ask for permission separately.

You can offer your users a similar notice:

How will we use the information about you?

Personalize your use of the website (if you agree).

Rights in relation to automated decision making and profiling

Data subjects have the right not to be subject to a decision based solely on automated processing which significantly affect them (including profiling).

Such processing is permitted where it is necessary for entering into a contract with the data subject. This all provided that it is authorized by law, or that the data subject has explicitly consented and appropriate safeguards are in place.

In other words, To make data processing fair, it has to be done in a transparent manner, ensuring the users are informed about the purposes of the processing, the existence of profiling and its consequences.

The users should know the consequences of their actions, should they decide against providing the data.

GDPR will fortify your customer relationships – if you play it right

You don’t have to lose the game by deleting your entire emailing database (just in case) in a panic fit, just like J.D. Wetherspoon did just to prevent possible damages.

By neat spring cleaning in your data, you will know where to reach: which data you hold, for what purpose, whether it is legitimate and whether you don’t transfer it in an inadequate way, or store it longer than you would need.

Knowing your data, especially knowing whether the specific purposes are covered by consent, and having a good tool is key for controllers to master the situation around GDPR.

The awareness of each of your data processing activities will give you the needed leverage over your competitors who would rather bin the data instead of ordering and reusing it wisely.

Establishing yourself as a safe harbour for your customers’ data can be something you can use as a new way of communicating and doing business with them. Something definitely to be seen as an opportunity, not a disadvantage.

At Exponea we understand the risks and the opportunities. We will guide you step by step through the transformation and walk you out of the risks without a headache. Read our GDPR E-book and stay in the know.