That depends completely on your company. Many organisations surely have to make additional safety arrangements regarding the software and hardware, in other organisations these safety arrangements are possibly already in place and there is only little left to do. However, data protection should definitely be taken seriously. Since the GDPR has come into force there have been bigger repercussions if you are simply ignoring data protection. It seems that penalties imposed for SME were already up to 500 – 5.000 EUR. You can find more information about the risks for noncompliance of the GDPR here.
The GDPR demands also a data protection by default and by design, that means that suitable technical and organisational measures have to be taken to fulfil the GDPR principles and to protect data subjects.
The GDPR is also an opportunity for many organisations to minimise existing risks and to position yourself as a reliable partner on the market who takes data protection seriously.