Identify if you are a Controller or Processor

Document the Data you currently hold.

Document your Policies and Procedures for handling personal data.

Put in place Procedures for Subject Access Requests including how you will verify the identity of the requestor

Document your security procedures in relation to Personal Data

Document your Data Breach Notification Policy and Procedures

Revisit your Privacy Notices to make sure they are compliant

Identify your legal basis for processing personal data

Check your Consent mechanisms (current and historical)  and ensure they are in compliance with the GDPR

Check your Third party processing Obligations

Check your contractual agreements to ensure they are in line with the GDPR

Check if your Legitimate Interests for Processing overrides  the individuals rights under the GDPR

Carry out a Risk Assessment  on the personal data you hold

Prepare to run a Privacy impact Assessment on any future projects – referred to as DIPA (Data Impact Privacy Assessment)

Educate your Staff about the GDPR and how it will impact their roles.

If dealing with Children – check your obligations regarding age verification and parental consent