I have written about the far-reaching privacy and cybersecurity impacts of this regulation here. And I will be Tweeting about #GDPR on @GDPRnews as the enforcement date in 2018 draws closer.
Bear in mind that GDPR is a set of rules governing the privacy and security of personal data that is being implemented by the European Commission, but applies to many companies located OUTSIDE the European Union (EU).
For a start, GDPR gives data protection, and recourse for abuse or exposure of sensitive personal information, to residents of Europe, not just European citizens. So, even if you're in Idaho, selling motorcycle accessories via a website hosted in Chicago, and some of your current or former customers or prospects live in the EU, you could still be affected.
How? Well, here's just one example: the "Right to erasure" in GDPR, Article 17. That means you could get a letter or email from someone asking you - "the controller" in this context - to remove them from your mailing list and or customer list. If that sounds like no big deal, I assume you know where all of your customer and marketing data resides, and you have an easy way to look people up and remove them.
That's not even getting into questions of when and with whom you may have shared the data without the data subject's explicit consent (and implicit consent cannot be grandfathered in). So let's say you have names and email addresses of people who have registered on your site as shoppers but you have assumed they would also like to know about motorcycling events and therefore shared their details with event organizers without explicit permission. That's not allowed anymore.
And so on...stay tuned!