Please read about the GDPR, where this is all explained in far better detail than I will be able to.

Alternatively, hire a lawyer, like you would for any other regulatory requirement.

> in far better detail than I will be able to.

Far better details? It gives vague info on what might be considered personal data... I would not call it very detailed. In most cases just says personally identifiable information.