* Caveat - this post is for guidance only and if in doubt you should seek legal advice.
Seriously, it's straight forward and easy.
When GDPR came in, at the end of May 2018, everyone went into panic mode. The fines! Keeping data safe! OMG!
But the rules are simple.
Only communicate with people who have agreed for you to do so
If someone buys something from you then you can communicate with them whilst you prepare and supply their order and in certain circumstances after you've supplied it (say because you need to provide an update or because they may be an issue with it).
Only hold onto data for as long as you need it to complete the transaction you need to with your contact / customer such as to supply an order, answer a question, etc.
Only send newsletters etc to people who have opted in to received them and they must opt in by the channel you intend to sent it by. This means that if someone opts in for an email newsletter you cannot send them communication by facebook messenger.
Make sure access to the data you are storing is secure - if it's paper, it's kept in a locked drawer, if it's on your computer, then make sure the computer and the file are passworded, if it's in your sales software that has a password to access it too.
If in doubt, don't hold the data
The best resource for Data Protection and GDPR is the Information Commissioners Office and they are always my go to place when I'm talking to clients as they can see the guidelines in black and white.
Each time you decide to do something new, you should undertake a Data Protection Impact Assessment or DPIA. A DPIA takes just 30 minutes and is a assessment of whether what you are planning meets GDPR guidelines. At the end of the assessment you get a report which shows whether any actions are needed to make your data handling compliant and guidance on how to do these actions.