Of course, the first part of the process is to identify which personal information are you holding and for what purpose.

Based on that you'll have to do an impact assessment and map where all that info is going (I assume you use third parties like Google Apps or Dropbox). You need to collect Data Protection Agreements which should cover GDPR and of course update your privacy policy.

On the technical side, you need to have appropriate security for protecting such information (such using encryption in your laptop, or making sure you have "https" on you site when submitting information).

The process if of course, longer than that but that gives you an idea. Depending on your size it would be a good idea to bring an external consultant to help you with the process. The UK ICO has good information about you have to do.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/