I have listed significant individual rights under the GDPR that impacts our and most likely your business.
Almost everyone is today aware of the GDPR (the new Data regulation) which will replace the 1995 Data Protection Directive (95/46/EC).
It happens from May 2018 and I found 3 things which I regard as key elements at least for us:
1) The new law stresses the right for individual's
This means, the way you handle your data must be transparent so the individual. They should be able to understand what you save in your systems about them. As example, if you need to retain your customer’s address as reference for future deliveries, you should be able and willing to inform him/her about the saved information.
This can be solved by as example:
a) With a log-in where the customer can update his/hers data and export it in the EU standardised format.
b) Or, much simpler, by a manual process. Your company makes a data extract and sends the information saved in your system about the individual, upon his/her request.
The data should be sent digital = e-mail attachment and in a standardised format. The data should also be sent on paper if this is requested. You need to be be prepared and willing to change the data, upon his/her request for correction.
OBS! The new standardised and digital data exchange format which has to implemented allows the individual to transfer their data to another provider. EU is striving for data portability to create technological neutrality and open for competition.
2) The individual has "the right to be forgotten"
This means, an individual has any time the right to get his/her data deleted from your companies data systems.
But, you are allowed to save the data you can prove that you need. As example, for a former employee the data can not be "totally deleted" if he/she is to be part of governmental reporting or pension payments or similar.
As I understand this part of the rule, as example Google has a tricky situation. They need to block search results upon the request of a person. This could influence also your company if it like Google shows data which is not in the control of your company.
3) There has to be a contact person for the individual.
You have to provide the name of a data protection responsible person who the individual can contact and who is responsible of execution of point 1 and 2 for him/her.
And, for your information. The European rules are said to apply regardless of where your server is physically located, or whether you are a non-European business.
But, that's it as far as I'm aware. Still, this can be very complicated to fulfill especially for large companies.
Regards EM Fahrer