At the moment, GDPR regulations legally apply only to those doing business in the European Union, but, rest assured, this will be flowing to the United States soon. So you might as well start your compliance efforts now. The point of GDPR is to protect personally identifiable information (PII) like credit card number, age, gender, birth date, social security number and health conditions. But it also extends to less “essential” personal data such as email addresses and phone numbers -- collecting and sending communications to customers.
The EU’s Information Commissioner’s Office (ICO), responsible for upholding GDPR compliance in the UK, offers up a lengthy (39-page) guide on all the rules but here are the cliff notes.