...as far as I can the following should be a good starting point, "data" being personal data
If you are required to collect and process data for statutory reasons then you're allowed to do so to the extent that the statute says.
If you need to collect and process data in order to complete a transaction for goods or services then you can do so and retain it as long as needed bearing in mind that different data items may be required for different lengths of time. You should delete data when its no longer needed.
You should only process the data according to the needs of the transaction for which it was required.
Need is not want, neither for collection, storage or processing. What some department wants is irrelevant, it's what the transaction needs that matters. You need to analyse this carefully; so carefully you can stand over your analysis in court if need be.
If you want extra data or want to process it in some additional way you must get explicit consent for that extra data or usage from the data subject. The consent may be withdrawn at any time. If it is you must delete that extra data. The regulations allow for technological limits so you don't have to edit backups. OTOH you're unlikely to get away with not re-deleting it if you have to restore from backup.
Getting extra permission can't be tied to providing the goods or services. Trying to weasel out of that or anything else is what brings the top tier of fines. The authors of GDPR saw you doing that previously. They've taken precautions this time.
You need to show data subjects what you hold about them if they ask and fix it if it's wrong.
You need a data protection officer. That's a role not a post. You don't need somebody full-time unless you think the workload is going to justify it. The DPO needs sufficient clout to say what can and can't be done and to find out the truth of what's being done.
Data is stuff held in written records as well as this trendy electronicry
If thy business is monetising data subjects' data rather than just selling goods and services to them then the curse of GDPR be upon thee and upon thy