This could go on and on, sorry...... so some bits:
The answer is document, document, document... need to be able to show a culture of ‘privacy by design’ and transparency for the data subjects..
Security structure which should be from the top.
all information assets what they contain personal information wise.
what legal reasons there are for processing this information (reasons for processing)
carry out privacy impact assessments and risk assess
record information flows, who has access, how and why
all the control measures that are in place, physical, organisational and technical
all the training of staff on data protection
all the contracts with third parties
any information transfers especially to third countries and how that is protected.
all consents and what they consented to and show that it was informed
privacy notices for the data subjects
The breach processes
record retention periods for the information assets
how to handle data subject rights.
I will have missed bits off but hopefully you see the idea. After that I think it depends on the type of company, e.g data controller needed or not etc. Other bits like no opt outs on web sites, opt in only.
hopefully the above helps, as you may guess I have been doing the above 🙂
GDPR can be a daunting beast. When you come to question like that try and switch places with the Authority.
If you visited another organisation and asked them to prove they were carrying out the activities in Paragraph 1, what evidence would you believe?
As mentioned, documentation is a number one item, but you also then need to show that this is being followed and is embedded in culture, not just IT systems (staff awareness and training) e.g., how do you check that privacy has been considered during design, an not just bolted on afterwards; do you have gateway check during project delivery?
On the wider picture, there are organisation that can assist with refining standards into defined control sets, but make sure you do not turn GDPR into a tick and flick exercise - that will undoubtedly result in a fail