I've read up a little on GDPR. Although it seems quite in-depth, what i took from it was that you shouldn't store any data you don't need, so reducing server logs etc (thinking specifically of cookies) and making what data you do have, secure.
It would also be nice if the site forced HTTPS
