ACRL has released "Keeping Up With. . . General Data Protection Regulation (GDPR)" by Margaret Heller.
Here's an excerpt:
Anyone who holds data must make sure their practices and tools work with GDPR. . . .Librarians have been deleting data about people for a long time. It is standard practice to delete the borrowing records for patrons when the book was returned or a fine paid. . . . But since then, the trails people leave through libraries have become easier to track as more and more reading happens online. A lot of the systems we use haven't offered the ability to delete search logs or other information about individuals, but as of right now are starting to roll out those tools to be compliant with GDPR. Some of the tools are blunt instruments: for example, Ex Libris offers the option to delete patrons from Primo entirely, but this doesn't really address issues like search logs .