unfortunately it a bit depends on legislation of each country. Any way it must be done till 25 May 2018.
Good explanation you can found eg. on Wikipedia: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
As we discused in our company, for our needs (I hope for most companies, at least for this year, when this new regulation starts) Telaxus should declare somewhere (official website?), that EPESI is GDPR compatible. Than we can tell to possible inspection: "We're using EPESI and developer say, it's compatible with GDPR." It's like black box, nobody knows. And its posible to manage it till 25 May.
Necessary modificaton will be encript contact table, due this regulation. I think there's not many more issues. Question is logging all activities related with contacts, but we hope it could just know period, when and who had access to contacts. And it's now possible just with Login Audit module...
I hope easy understood my explanation. :-)