What are the Eight Rights of Users Granted by GDPR Laws

If you missed our introduction to GDPR, you can catch up now or read it after learning about the eight rights of the user. At its core, GDPR seeks to provide consumers with better personal data security. This extends much farther than most people initially thought. Individuals are now guaranteed the following eight rights as a result of this new law.

The Right to be Informed

Perhaps the most basic piece of GDPR is the end users’ right to be informed of all aspects of their data.

Who is collecting it? For what reason? When are they collecting it and when are they disposing of it? Where is the data housed? Why are businesses collecting it? In general, if you want to know literally anything about your data, you have the right to ask.

Whether it’s being collected or processed, every EU citizen has the right to know what is happening with their data. Consent is required at the onset – whether that’s by the original collector or another processor down the road. Consent also needs to be reconfirmed for each new use.

For example, if I originally opted into an e-newsletter for bicycles, and that data collector sold their list of emails to a marketing organization advertising discounted Tour de France tickets, that new organization needs to gain consent before using that data. Each new organization must explain their uses of the data upfront, allowing end users to opt in or out for this new purpose. Ultimately, this gives users substantially more secure data, as it will be illegal for their information to simply bounce around the web untraced from one advertiser/marketer to another.

For more information on data collectors v. data processors, keep your eyes out for the next part of our GDPR series – The Key GDPR Players.

The Right to Erasure

All EU citizens have the right to “opt-out” of any type of database at any time. If you don’t want to receive that Foodie Blog’s monthly e-newsletter, you can already unsubscribe. But now, if you don’t want your information to exist in that organization's database, you can require them to erase all record of you simply by revoking your consent.

In laymen’s terms, by law, you can require any organization to delete everything they know about you. This includes backed up data. Organizations that receive requests to remove data will have a small time period to do so, not to exceed 30 days.

The Right to Data Portability

Organizations have to be able to provide data to competing companies if the individual wants to share that data with another competing service. This data portability piece will reduce the barriers to switching services, providing customers more freedom of choice for their digital needs. This also applies to non-digital services.

If a user wants to change over to a competitor of yours, you're required to share their data with the competing organization.

The Right to Data Access

Organizations have to be able to provide data directly to the individuals who want access. Individuals can ask for data at any point in time, and there must be a specific process in place for managing these requests. If 5,000 users all request data at the same time, a company must be ready to provide that data within the required time period or face fines. The timing varies from case to case but can be as little as 72 hours. Without a proper process in place, those fines stack up quickly.

The Right to Rectification

Individuals will have the right to update any and all false, incomplete or inaccurate information within an organization’s database. This can include improperly collected data, changes in opinion, and updates to your personal status. Again, organizations will have a small time period to process rectification requests.

Per GDPR, the user has the right to rectification of data. Companies must fix any and all mistakes in a timely manner or face fines!

The Right to Restrict Data Processing

Again, at the drop of a hat, EU citizens will be able to push a pause button on all personal data collection and storage, should they want to do so. Do you have data backed up and a citizen wants it deleted? You better be able to scrub him/her from your system just as quickly. In general, restriction is straight forward. Citizens have full control over what can be shared or stored, and you better believe some of them will put up some strict barriers.

The Right to Object

The data subject shall have the right to object to the use of data at any time, including profiling based on data collected. If a citizen only wants to have an email on file as part of a rewards program but doesn’t want to receive marketing messages, they can object from that use of data. This includes research efforts and marketing outreach, among other situations. Expanding on this further, each use of data requires consent, as mentioned above. And citizens can object to any initially approved use over time.

The Rights of Automated Decision-making and Profiling

Last but not least is a safeguard in GDPR that protects citizens against the potential of a damaging decision made by AI, without human intervention. For more information on this final component, we recommend reading this piece from Intersoft Consulting.

Those are the big eight. Maybe not as exciting as Ocean’s 8, but still, just as potentially lucrative for citizens looking to litigate. Until a few real cases are pushed through the court system, it’s hard to fully guesstimate the reach of GDPR.

Additional Content to Consume!

If you’d like to read more of my industry thoughts, check out my recent articles:

• GDPR Compliance – Coming to an International Business Near You - Our introductory look at the GDPR.
• Digital Security Breaches: Facebook's Present, Your Data's Future - A deep dive into the Facebook Cambridge Analytica scandal.
• Blockchain – What Even Is It? – A look at the rise of the tech behind Bitcoin.