This is a good question, I've been meaning to get an itch.io publishers guide to GDPR out. Expect that in the near future.
In general, you don't have to do anything special for GDPR, but, the email addresses we provide to sellers can not be used for unsolicited marketing. We added a notice above all the places where we show email address with the restrictions about how you can use them. You can not use the email addresses collected for purchases for communication the buyer has not consented to. The email addresses are only made available so you can contact individuals about their purchase specifically. Acceptable uses for the email address and email system include: updates to the game, new files (eg. bonus content), you added external keys. You should not use it for sending marketing emails about new content you're releasing.
It's likely create a more formal mailing list feature that will have buyers opt in so you can send them marketing messages.