What is the first step towards GDPR compliance?

Your first step is an audit: write down (1) which data you collect (including via external tools such as Analytics, Ads, CRM), (2) where that data goes (servers, cloud, third parties), (3) how long you store it and (4) how you currently obtain consent. After that, prioritise: which breaches are most critical? Usually, it's tracking tools without consent. Fix these issues first – a perfect privacy policy is less critical than unlawful tracking. In parallel: find competent data protection advice or an external data protection officer to avoid blind spots. With this structure, you make rapid progress and measurably reduce your risk.