[dodgyb]

A good reference is the Information Commissioner's Office. They are charged with enforcing the regulation:

https://ico.org.uk/for-organisations/guide-to-the-general-da...

For a summary of concerns that may be pertinent to your use case - General Data Protection Regulation (GDPR) for Identity Architects:

https://medium.facilelogin.com/gdpr-for-identity-architects-...