The GDPR is a EU ( and now UK law) that relates to handling of Personal Information.
The idea is that individuals own their own data and that it can only be used in ways that they had agreed to use. If you want to use data you need to seek permission and tell the user what you are using it for. Users also have the right to opt out. This does not have to be instant, so extracting your list a month before an email is sent would be fine. Doing so six weeks or more is not.
It includes details that data use must be opted in to. In several cases recently I have seen surveys sent out that have the “add me to your mailing list” autochecked. This is specifically not allowed.
You also can’t pass PII to third parties without either a good business reason or with permission. A good business reason would be passing a delivery address for shipping a product. A bad reason would be selling details to a third party to update a marketing database.
You can also only use the data for the requested purposes. For example Facebook asked for my phone number for account recovery purposes. It would have been a violation if you got a phone call from a market research company on that number.
GDPR has teeth. The fine can be 4% of your global income. Note that is income, not profit.
All that is required is having good practices.
Developer Rants 