The very basic points of what needs to be covered to comply with the GDPR are:
Clarity on data held:
Controls and notifications
Organisational capabilities and trained staff
That’s a pretty big list already but it’s just a list and there is much to think about for each item. The ICO have published some really helpful checklists with separate versions for Data Controllers and Data processors at https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment/getting-ready-for-the-gdpr/
It’s really worth going through these and making sure you understand what you are doing in each area.
Key to this though is documentation of your approaches and measures and retaining records of the policies, procedures, training and assessments in case of challenge from regulators or auditors. As discussed in other sections of this blog the potential penalties are now so severe as to be threatening to the survival of many organisations and thus of interest to a wide audience.