[billconan]

Most websites ask for users' email used as the account name.

From what I have read on this topic, email address is considered a personal information.

> the necessary work to make sure you've done at least the minimum to protect what they've shared, > especially if you're profiting from that data.

The OP was willing to comply, she asked what "necessary work" means and how to define "minimum".

Also it seems to me that GDPR applies to non-profit sites.

[sheepmullet]

> Most websites ask for users' email used as the account name.

> email address is considered a personal information.

As another poster mentioned - just don't use email.

Or if you must then just make sure you only do the minimum you have to with it - e.g. Don't send it to a third party, have a way to delete it when a user wants to close their account (unless you have a good reason to keep it - e.g. to match to a financial transaction).

What's the difficulty?

GDPR shouldn't be a burden for a small business unless the business is in the personal data space.

[onion2k]

So what? Don't ask for an email address. Use an OAuth provider instead. Or let people use the server without signing up. Or assign users a random number as their log in.

There are plenty of options available if you don't want the "burden" of securing your users private data, but ignoring if isn't one of them any more. This is a good thing.