24 Association of Research Libraries Research Library Issues 297 — 2019 Although GDPR applies to EU citizens and residents, it affects companies and organizations worldwide both because of ties to those in the EU, as well as the practical difficulties in handling EU personal data differently from personal data collected in other parts of the world. GDPR grants individuals six specific rights with respect to their data: 1. Information and access (the right to know that their personal data is being processed and have access to this data free of charge) 2. Data portability (data collected under certain circumstances must be provided “in a structured, commonly used, and machine- readable form” 3. Rectification (ability to correct inaccurate personal data or to complete information) 4. Erasure (also known as the “right to be forgotten,” applicable only under certain circumstances) 5. Restriction (individuals may restrict data controller from processing data further under certain circumstances) 6. Objection (the right to object to processing of one’s data) Significantly, GDPR requires explicit consent from the user for collection and processing of data in an opt-in system, rather than simply allowing individuals to opt-out. As Anne T. Gilliland notes, the enactment of GDPR matters to companies and libraries worldwide: “Because of their various ties to Europe and EU citizens, such as exchange programs, study abroad opportunities, visiting scholars, and satellite campuses in other countries, universities and research libraries are among the organizations that now must come to terms with the GDPR’s requirements.”13 As a result of GDPR, other countries, such as Canada, Argentina, Brazil, Israel, and Japan, have enacted similar privacy legislation that is at least compatible with the EU’s approach.14 Canada, for example, updated