The main reason GDPR is so scary are the potential financial penalties - €20 Million or 4% of previous years annual turnover, whichever is higher. Enough to scare most companies, whether large or small, so most are taking this seriously. Going back to your website compliance, there are a number of rules and regulations which need to be adhered to, each falling into different areas:
Consent
Ensuring individuals can opt in for data to be gathered
Processing
Defining rules about the processing of personal data
Securing data
Ensuring organisations protect an individuals privacy
Breach notification
Informing individuals (and the authorities) about data breaches
Right to access
Adhering to requests for access to personal information held
Right to be forgotten
Ensuring individuals can be removed for your records
Due process
Ensuring you have defined procedures to follow and individuals responsible for actioning them