This one seems to have the right level of details...
One good 1 line summary:
Three elements of this: Right to Access, Right to Be Forgotten and Data Portability.
... and some interesting general info:
The penalty for non compliance can be 4% of annual global turnover, up to a maximum of €20 million.
That's good for the people who make free software or free blogs ;)
PwC surveyed 200 CXOs of large US firms to assess the impact of the GDPR guidelines. The results revealed that a majority of the firms had taken up the GDPR ...with 76% of them prepared to spend in excess of $1 million on GDPR.
Yep... a nice regulation that costs over $1 million to implement...
The UK’s Information Commissioner’s Office defines personal data as: "Information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier."
It says this includes "name, identification number, location data or online identifier".
Under some circumstances, this can extend to images, and details about your family.
Organisations have six lawful bases for processing personal data: Consent, contract, legal obligation, vital interests, public task or legitimate interest - definitions of which are available on the ICO’s website.
But whatever the legal basis, you always have the right to object to the continued processing of your personal data if it's for the purposes of direct marketing.
If you willingly and explicitly consented to your personal data being used for ads in the past, then apps and others can continue to do so.
GDPR says consent means individuals must have real choice and control.
So, they need to have a "clear and concise" explanation as to what they are agreeing to, and pre-ticked boxes and other forms of default consent no longer apply.
GDPR introduces a right for individuals to demand their personal data be erased under some circumstances.
These include situations when its use has been based on their consent.
Organisations must respond within a month of receiving the request and should comply without charging a fee unless the request is deemed "manifestly unfounded or excessive".
GDPR introduces a duty to report certain types of data breaches within 72 hours of them being detected, even if all the details are not yet known.
If individuals are also put at significant risk, they must also be informed.
Failure to comply can entail a fine of up to 20m euros (£17.5m; $23.6m) or 4% of the organisation’s annual global turnover - whichever is greater. But the penalty for delayed reporting alone tops out at 10m euros or 2% of global turnover.
GDPR gives an individual the right to challenge decisions made solely on the automated analysis of their personal data if they did not consent to it in advance.
Those affected can ask for access to the details on which the decision was based.
They also have the right to have a human double-check that a mistake was not made.
GDPR includes the right to obtain and reuse personal date from one service to another.
As such the data must be provided in a commonly used and machine-readable format.