The GDPR guarantees a number of rights to consumers - called “Rights of the data subject.” Every company that holds or uses personal data of its customers or users should understand what these rights are.
Here they are:
1. Notice - or the right to be informed.
Companies need to give a lot of information to people whose personal data it’s collecting and using including:
what data is being collected,
how it is being stored,
who it’s being shared with,
how it’s being used,
and much more.
2. Access - the right to get your data
The law is very clear on this “The controller shall provide a copy of the personal data undergoing processing.” That’s it - users have the right to get their data.
3. Rectification
Individuals have the right to have incorrect or incomplete information fixed or updated by the company.
4. Erasure - or “the right to be forgotten”
Individuals have the right to have their data erased in a variety of situations - for example if the data is no longer necessary, or if the data was unlawfully collected in the first place. This includes when the user “withdraws consent,” meaning they no longer agree to that stuff they check off in the privacy notice - (though there are some exceptions to this).
5. Restriction
Individuals have the right to have a company limit the way it uses their personal data.
6. Data Portability
Individuals have the right to ensure that their data can’t be “locked” by one company - the data needs to be able to be moved from one provider to another.
7. Objection
Individuals can object to the processing of personal data in certain situations where they did not consent (like data collected by a government agency). The individual must give specific reasons for the objection, and this will be balanced against the legitimate interests of the data controller.
If you fall under the jurisdiction of the GDPR, you need to be ready to respond to requests relating to all of these rights.