In order to protect personal data as prefigured by GDPR, you first need
to be fully aware of what
personal data is being captured, processed and stored by your
organization, or by third-party organizations on your behalf.
To this end, you need to accurately identify and classify such data, by modelling the processes currently in place in your organization.