GDPR?
Not exactly complicated, it just means we can’t be spammed as much any more and, if we request that someone deletes our personal data, that person is not allowed to sell it to the Russian mafia first.
It’s easy. I work in IT Sec and we had to sit the entire course, took us 20 mins.
Between the legalese is a pretty simple concept: you make best efforts to store all personal data securely and you remember that the service user owns their personal data, not the service provider.
That’s reallt pretty much all there is to it. Put up a cookie warning and manage members’ personal data properly and the job’s a carrot.