The European Union introduced the General Data Protection Regulation (GDPR) in May 2016 to grant users (also called data subjects) more control over their personal data, which is typically under the custody of data aggregators and/or data processors. After an initial period of introduction to the public and stakeholders, the law took effect on May 25, 2018, and the GDPR made several positive contributions to better regulate data protection. First, it expanded some existing rights, such as the subject’s right to information, right to access, right to rectification, right to cancellation, and right to object. The GDPR also created new rights, such as the right to be forgotten, the right to portable data, and the right to restrict the processing of personal data. The GDPR also included several obligations that data controllers owe data subjects.