The problem with GDPR is that there is no way to know how it will play out in practice. I've asked my attorney some questions, and I'm going to be getting answers once the research is complete, but it's already clear that there's no such thing as a guarantee in this case.
That said, email lists are relatively easy to make compliant. It's websites that offer the greatest challenge.
For those of us with Wordpress, there are a number of plugins designed to address the issue. After some experimenting, I settled on Wordpress GDPR from Code Canyon. It's a measure of how rapidly the develop responds to user concerns that the plugin updates once or twice a day. As far as I can tell, it covers all the bases.
I don't collect much data in the first place. All areas of the site are accessible without signin, and I'm not selling anything. Basically, the only data comes from the comments (name, email, and IP address--for antispam detection). A few other plugins collect anonymous data. I got rid of Google Analytics, figuring it wouldn't be very accurate once people started opting out of it. It was comparatively easy to describe in the privacy policy what the remaining plugins are doing. Wordpress GDPR provides very clear accept or decline choices and enables users to change them any time. (It also provides the setup for users to make data requests and has a particularly neat feature that allows users to delete their own data if they wish.
GDPR applies in two cases: if someone does business in the EU, or if someone is monitoring the behavior of EU citizens. Wordpress GDPR has a mode in which it loads only essential cookies even if someone accepts cookie usage. I tested the site, and everything seems to work with that setting. If I turned it on, I could argue I wasn't monitoring the behavior of EU citizens. Am I doing business in the EU? Distributors that sell my books are doing business there, not I.
The one problem I have is that, since people don't have to sign in, the plugin has no way of preserving a record of whether they accepted cookies or not, though I could demonstrate that the site loads only essential cookies until a user consents. Not having a record wouldn't be an issue if I blocked all nonessential cookies myself. If everybody had to create an account and sign in, that would ironically cause me to collect more data. That's one of the questions my attorney is looking at.
What puzzles me is watching how differently businesses react. I've seen everything from blocking EU citizens to seemingly continue with business as usual. Even the companies with legal teams seem to be reacting very differently.