The EC's summary of the reform is here. If you're feeling ambitious, the regulation itself is here.
The EC also has an interactive info graphic (which is a bit 'design heavy').
Keep in mind that it is the national data protection authority that monitors compliance with the directive, so probably the best place start (and keep up to date with) is your national DPA.
For example, ICO (the UK's DPA) has an interactive toolkit in addition to the fact sheet @hawk linked. If I were a company that collects personal data of UK citizens, I would start with that toolkit.
Also keep in mind that the DPAs themselves are still figuring out how to apply this regulation in practice. If you read through the regulation it uses a lot of broad terms that will need to be applied to real world scenarios. For example, ICO recently had a public consultation about the meaning of 'consent' under the regulation.
That said, it seems the main potential risks for online communities are:
- Inadequate consent when obtaining and retaining personal information (see e.g.)
- Ensuring individual rights are protected (see e.g.). Functionality for dealing with each of these is already built into Discourse, but I would briefly make sure you know how to handle each scenario.
Accountability. This seems to be an important new aspect of the GDPR. Basically, it seems to involve thinking about data protection for longer than 2 seconds and making an organization-specific plan.
There are other area specific risks (e.g. communities targeted at, or including, children).
Personally, as I have a community that has not even launched yet, I'm not that worried about it. The thrust of the enforcement aspects of the new regulation seems to be targeted at the processing of large amounts of sensitive data.
As the EC says in their FAQs:
What are the benefits for SMEs?
The data protection reform is geared towards stimulating economic growth by cutting costs and red tape for European business, also for small and medium enterprises (SMEs).
By having one rule instead of 28, the EU's data protection reform will help SMEs break into new markets. In a number of cases, the obligations of data controllers and processors are calibrated to the size of the business and/or to the nature of the data being processed. For example:
- SMEs need not appoint a data protection officer unless their core activities require regular and systematic monitoring of the data subjects on a large scale or if they process special categories of personal data such as that revealing racial or ethnic origin or religious beliefs. Moreover, this will not need to be a full-time employee but could be an ad-hoc consultant, and therefore, would be much less costly.
SMEs need not keep records of processing activities unless the processing they carry out is not occasional or likely to result in a risk for the rights and freedoms of data subject.
SMEs will not be under an obligation to report all data breaches to individuals, unless the breaches represent a high risk for their rights and freedoms.
My overall take is that it is worth spending an afternoon on your org-specific plan and keeping up to date with developments with your national DPA, but not worth sweating it too much.
Disclaimer: I am not an expert in European or UK law and none of this constitutes legal advice. It is purely layman opinion.