The first step is to make yourself aware of how GDPR affects your particular business. This includes assessing what personal data you collect from individuals (data subjects), as well how it is stored, how it is obtained, and how it is shared.
Not saying “no” doesn’t automatically mean “yes”.
What this also means is that it is no longer sufficient to display a cookie banner to website visitors informing them that “By using this site, you accept cookies”. This does not qualify as affirmative consent as there is no clear “opt-out” option. Additionally, website visitors should be able to withdraw their consent at any time just as easily as giving it.
You need to consider the rights of your customers in accordance with GDPR and check the timeliness and practicality of the procedure should an individual request access to or the deletion of their personal data. Subject access requests can only be charged or refused should the request be excessive or unfounded, and your reasons will need to be explained to the individual concerned. With just one month to provide the subject with this, you should examine the logistics of these requests so that you are prepared.
Furthermore, you will need to ensure that you have a procedure in place for the detection, investigation, and reporting of any future potential data breaches.