I know you’re probably tired of hearing about GDPR.
GDPR isn't just standard data protection waffle. It's a whole new way of approaching personal data. And it's obvious when an organisation hasn't even bothered to attempt to comply. It has to be stressed that the main threats to your business with regards to GDPR isn't directly from the ICO but rather employees and clients who will want assurance that you can properly demonstrate that you know what you're actually doing.
Do you have the policies and procedures in place for identifying and addressing the different lawful basis for processing data?
Do you have appropriate data governance and accountability rules in place?
Can you handle data subject access request and uphold data rights without prejudicing anyone?
Are all of your marketing and external/internal communications properly compliant with data processing rules under the GDPR? If so, why not?
This all has to be part of your demonstrable privacy framework.
If you don't even know how to approach these few questions, let alone know how they are meant to be implemented along with the rest of the GDPR, you're going to be in trouble. And you won't realise until it's far too late for your reputation.
Be pro-active and get it sorted. It'll save you a lot of headaches in the future.