Now, unless your organisation is – in personal data terms – quite simple and/or very new, getting comprehensive answer to those questions is no small task. By the same token, though it’s one that can’t be avoided if you want to understand what you need to do to address the GDPR and the new Data Protection Act.
However, there’s a vital 3rd question to be asked, too:
3. Why do we need that data? Was there ever a good reason for collecting that data – and is there any basis to still retain it now?
(this final one may require both repeated questioning and some challenging of the answers you’re given…).