A major focus of GDPR is on conditions of consent which have been strengthened. So companies will not be able to use vague or confusing statements to get you to agree to give them data. Firms won't be able to bundle consent for different things together either.
"If you have a page of different consent, and saying by clicking here you consent to lots of things, that will be wrong, you need to be able to apply that consent individually," Harry Small, a partner at law firm Baker & McKenzie, told CNBC by phone.
Consent must also be easy to withdraw.
For children under 16, a person holding "parental responsibility" must opt-in to data collection on their behalf.
Another rule will make it mandatory for companies to notify their data protection authority about a data breach within 72 hours of first becoming aware of it. The processor of the data will need to notify customers "without undue delay" after learning of the breach, according to an EU document.
When it comes to user data, consumers will have more control. You will be able to access the personal data being stored by companies and find out where and for what purpose it is being used. You will also have the right to be forgotten. This means you can ask whoever is controlling your data to erase it and potentially stop third parties processing it too. Another provision of GDPR allows people to take their data and transfer it to a different service provider.