As part of my diagnostics approach, I divide GDPR compliance into seven categories of requirements, each with multiple sub-categories of requirements (the sub-categories are hard to read here). Each of these sub-categories constitutes a compliance matter that will result either in the need for process changes, technology changes, and/or changes to people competencies or capacities within the organization (operating model changes).
In the context of the above, many are however not aware of the considerable workload that GDPR compliance demands. For example, if we consider the following figure - the work required to fulfil the requirements only to protect the rights of the data subject, consisting of 10 sub-categories - it shows that significant effort is required from technology and business process perspectives to become compliant (red and yellow circles).
Depending on the organization, the IT changes can impact multiple systems, even legacy systems, with IT being the source of the most change to meet this category of requirements.
Becoming compliant is therefore ultimately not only about effort, but about the time and cost associated with that effort that you should take care not to under-estimate.