GDPR applies to all sites with European visitors. It doesn't matter where the server is located or where the company is registered. WordPress has built-in support since version 4.9.6, but it's not always enough.
Built-in tools
WordPress has a privacy policy page template (Settings → Privacy). Tools to export and delete personal data are under Tools. The comment form has a consent checkbox since 4.9.6. These are the basics, and they cover the simplest cases.
Cookie consent
If you run Google Analytics, Facebook Pixel, or other third-party scripts that set cookies, you need a cookie banner with active consent. Not an info box saying "we use cookies", but a tool that blocks scripts until the visitor approves.
Complianz and CookieYes are two plugins that handle this. Both scan the site, identify cookies, and create a compliant banner. Complianz has better documentation, CookieYes has a simpler setup.
Analytics without cookies
Plausible and Fathom are analytics tools that don't set cookies and don't collect personal data. They don't need cookie consent. More expensive than free Google Analytics, but simpler to handle legally. We've switched most client projects to Plausible.
Forms
Consent checkbox on every form that collects personal data. Link to the privacy policy. Don't store more data than actually needed. And have a plan for how long you keep data and how it gets deleted.
GDPR isn't optional. But with the right setup it takes an afternoon to fix, then it just runs.