I don’t generally get personal details, with the notable exception of people signing up to my mailing list. Almost all of the subscribers on there had subscribed using a form that I’m confident is GDPR-compliant, but there were a few that I wasn’t confident about. For those, I did the following:
Moved them to a new, temporary, mailing list.
Sent an email to that list, explaining that in order to comply with GDPR, I wouldn’t email them again unless they re-joined the list. That email had a link to the new sign-up form.
After about a week, I deleted the temporary list along with the subscribers.
I stopped using Google Analytics some time ago and switched to a self-hosted Matomo installation, so that I have that data under my own control. Because I’m really paranoid and privacy conscious, I have it set up to get the data from server logs instead of using cookies to track people. That makes the data less comprehensive, but it’s still more than I ever use.
I’ve created proper privacy policies.
The day job sent me to a half-day training thing about GDPR. The main two points I got from that were that you need informed consent, and that the Information Commissioner will be more lenient if you have made good faith efforts to comply. On the other hand, if you’ve ignored it, you can expect to get hit hard.