I know you’re probably tired of hearing about GDPR.
GDPR isn't just standard data protection waffle. It's a whole new way of approaching personal data. And it's obvious when an organisation hasn't even bothered to attempt to comply. It has to be stressed that the main threats to your business with regards to GDPR isn't directly from the ICO but rather employees and clients who will want assurance that you can properly demonstrate that you know what you're actually doing.
Do you have the policies and procedures in place for identifying and addressing the different lawful basis for processing data?