I'd highly recommend OSM as well. It BCCs everyone as a matter of course when you mail from the system, and also gives you a range of email addresses to send from your client to the whole Troop, all the leaders, all the Falcons, everyone going on summer camp or whatever, if you don't want to sign in - again sending BCC.
Again on the security theme, our Cubs no longer do paper camp forms - they just ask parents to sign in and check details, so everything stays secure in the system. There's an HTML5 phone app that works offline, because reception is a bit rubbish in many Scout huts and on many camp sites. It just updates the central system next time it manages to connect.
I've not had a GDPR directive from District yet, although I'm off to some training on Saturday with my church secretary hat on. Again, I'm inclined to think that part of the answer there is to store the data in a system and mail from that, rather than use a spreadsheet, a paper file or whatever. We use ChurchSuite, which is pretty much an OSM for churches.
How you email and where you store the data is far from the whole story in GDPR. In a structured set-up like the Scouts, we can just try to follow what HQ recommend. But a purpose-designed system helps.
The really brilliant thing about OSM is its integrated approach. For example, you set up a programme, and mark each evening with the badge requirements it covers. Then you record attendance, and you can let it update everyone present automatically as having covered that requirement. And so on in many areas. Not GDPR-related, but really helpful.