GDPR?

Anyone dealt with GDPR yet? It's coming down the pipe and we have a couple customers that need to comply. The requirements seem... daunting and must be met regardless if you're a small company or large. It seems to be a very large burden for a small company to comply with.

A client of mine is a subcontractor for IBM and IBM is demanding they "demonstrate" their GDPR compliance, more than just a document saying they comply. My question is what are any of you doing? There doesn't seem to be a clear cut list of things to do to be compliant.