We've all been hit with endless offers of GDPR webinars and product pitches, so I'm not going to repeat the stuff you can find there. But there are some big-picture points you might not have picked up yet regarding GDPR and your customer relationship management (CRM) system, and they're worth summarizing here.
Point #0: Talk to your attorneys. Even though the regulations may seem irrelevant to you and your business, ignorance of the law is no excuse ... and is definitely not bliss. Even if you do no business in Europe, your business is likely to be affected by GDPR and could incur penalties. Why? Because there are plenty of ways that European citizens can get their data into your systems without your knowledge, and if they've done so you're supposed to be complying with the new regulation. And the penalties for non-compliance can be surprisingly high. That said, none of this has been tested in court or regulatory appeals yet, so it's going to be murky territory for a while. Pay your attorneys for practical advice on how to minimize the business risk (even though you'll see below that it can't be eliminated).
Related to this are a couple of fundamental disclaimers: I am not an attorney (I don't even play one on TV), and you must not take anything in this article as legal advice.
Point #1: Ignore screams of "we're not compliant!" While non-compliance for your company is very likely to be true in the abstract, if you are perfectionist in the interpretation of GDPR everyone is non-compliant. There is no product that can make you compliant, there is no consultant who can guarantee compliance, there doesn't appear to be a "seal of approval" that certifies compliance, and I would be stunned to find an IT vendor willing to indemnify you if you are non-compliant. (You might be able to get some coverage under your corporate insurance policy, however.) So start with triage and work on the killer risks first.
Point #2: CRM systems, marketing automation systems, and websites are ground zero for GDPR issues. These systems hold lots of information about people, and they are virtually certain to not hold any data about their citizenship. So these systems need to start holding opt-in information and other metadata needed to enable GDPR compliance, and synchronizing this data so all your processes act consistently. Your website registration forms need to provide special pathways for European citizens (to make sure they are exposed to all the right disclaimers, notices, and check boxes) while exempting people who claim they are not European citizens (so they aren't burdened with irrelevant information and options). While working on these centralized systems, realize that there's a decentralized risk that's even greater ... we'll get to that.
Point #3: You can buy products that show you are applying commercial diligence regarding GDPR compliance. While you can't buy compliance, you can buy enablement. Any products that provide logging and alerts regarding security events (such as Salesforce Sentry) are probably good. Any tools that help detect security issues across systems (such as Splunk) or provide in-depth protection for data leaks of system intrusion are close to must-buy items. If you've procured these products or services, you're at least showing intent to comply.
Point #4: Compliance is largely about process, checklists and people. While it is conceivable that you could be compliant without buying any new products, you cannot possibly be compliant without having explicit processes, procedure manuals and incentives/goals for your people to actually get the compliance job done. While you certainly can (and maybe should) outsource the vulnerability assessment and high-level recommendations for GDPR, the actual "grunt work" of figuring out all of the niggling details should probably be done in-house.
Talk to your HR and legal guys: you might want to make intentional flouting of GDPR and abuse of your customers'/prospects' personal data a fireable offense.
And, yes, this is a journey, not an event. Probably every time you do a significant reorganization of your marketing team or swap out service providers, you're going to need to revamp your procedures. It probably makes sense to have a review on an annual basis. You wonder why my friends call me "Commander Boring"?
Point #5: The biggest technical work will probably be in loosely-integrated systems. If you think about the long-run implications of GDPR, a critical issue is control of where your customers' data resides and how it is used. If a European citizen demands to know all the personal data you have about them and every way that you use it,... that could be quite the challenge. And if they ask that the data be deleted, how can you ensure that the data won't reappear in your systems from some weekly batch process? At the very least, you need to have a process map of all the ways that personal data is stored and managed, and you'll probably discover some places where synchronization needs to be tighter and more complete. Some of this can be really painful.
Point #6: The biggest risk is likely to be in email. Nearly every email client has an address book feature, auto-filled from email traffic. That's personal information, and you have no idea what their citizenship is. There's almost certainly no opt-in data in your employees' email address books, and you have no idea what the provenance of all those addresses is. Every email user's address book is thus a potential time-bomb of risk. So, aside from setting up new policies, email signatures, disclaimers, and training programs, you need to think about the technical side of address books.
Unfortunately, most users treat their address books as their personal property, and they are not used to handling it as a corporate data asset. An approach I recommend is to force users to have two address books in their email system: one for their personal addresses only, and one for corporate addresses only. The corporate address book is synchronized with the CRM system, and the personal one is scanned periodically to remove "dupes" that have crept in from the corporate address book. However, the synchronization of hundreds or thousands of email clients' address books with the CRM system is both a human challenge and a technical challenge - I urge you not to take it lightly, as mistakes can lead to data corruption and user revolt. This is not what anyone would call fun.
Point #7: Mum's the word. Although you do need to make all kinds of public statements (on your website, in email footers, etc.) about your efforts to comply with GDPR, I would not recommend public pronouncements ballyhooing your efforts. If you are wise enough to actually be compliant, don't be foolish enough to publicly proclaim it. Why? Because you are likely to attract black hat types or shake-down artists who will look for ways to make you non-compliant. Nobody wants to be the first to attract the European Commission's regulatory ire.