Still not sure what is new with GDPR, been hearing of that for months but I couldn't find any rules for webmasters as to what is required or what is going to change.
We already have strict privacy requirements even without this - like you have to register your submit forms when collecting data to the local government agency, even if the form has columns for just the first and last name, contact info etc. You also have to maintain documentation regarding your data collecting systems and safety measures undertaken...
Of course, you need the consent of the persons to collect and store their private data and if the consent is withdrawn you have to safely destroy the private data.
Also, photos are considered private data too if you can indentify a person in them.
If you had employess working with private data you collect (e.g. if you run a company collecting and storing private data on their servers) those employees must have a special certificate for working with private data.
Imagine all this crap and now even more with GDPR? WTF...