GDPR - General Data Protection Regulation
I think everyone can see the need for GDPR in this age of "data brokerage". However, there is little point in having or developing a policy for an organisation if it is not understood or followed by the members of that organisation. It is all very well stating what you will do with information that is collected, from the use of a website for example, but not doing what you say is a lot worse than not having a policy in the first place.
GDPR applys across the board in the operations of your organisation and that extends to telephone calls and simple emails. When you are in contact with people that are using your services you need to follow the same rules. For example, if you are accepting bookings for an event by telephone the number that you may or may not have collected is subject to your GDPR policy. This is the same for emails and the use of a "maiing list" should be fully understood by those doing so.
The subject of Data Protection and Security is NOT well understood by the general public.