A few notes on GDPR.
GDPR now requires you to have a DPO (Data Protection Officer) in your organisation if you carry out certain data handling.
What does PCI DSS (a set of regulations on card payments) have to do with GDPR?
Both are about securing personal data. The difference is that the GDPR is less prescriptive than the PCI DSS. The GDPR provides guidance on what needs protecting but does not provide a detailed action plan. Conversely, the PCI DSS details clearly what needs to be achieved and provides a clear methodology for securing cardholder data.
More on GDPR: https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation