Let's say, I have a website that doesn't sell any personal data to third parties, but uses email for registration purposes, stores some user generated content to show and analyses conversion rate with google analytics. What exactly do I need to comply GDPR?
My first statement would be: Yesterday was too late to ask this question, GDPR was passed two years ago.<p>The most important bit is to have a contact email for privacy issues, where people can request their data, request deletion of their data, etc. You don't need an automated system if you aren't getting a volume of requests you can't handle.<p>And the other big thing is you need to clearly disclose your vendors. If you host on a cloud service, use a payment processor, etc, you are sending private data to those companies, so you need to point to their privacy statements as well.<p>If you're US-based, look at Privacy Shield. If all of the data processors you use also Privacy Shield compliant, getting certified yourself is pretty easy.