Basically you need a privacy policy and changes to your terms. Best to get a lawyer to help you. There are self-service resources, but these will not be good enough
One option is to have a lawyer specialized in GDPR to do an audit of your current setup and they’ll give you a list of fixes. Might be less expensive than having a lawyer do all the work for you. Germany has strict national laws regarding privacy, so copying and modifying for example Bosch privacy policy, etc. is a fairly safe bet. At least for European companies GDPR goes far beyond just privacy policy and terms, so be prepared for a lot of work if you need to really comply with all the regulations.
Copying German companies is definitely overkill, but I know companies that have switched from a US provider to a European one just because of poor GDPR compliance, so if you have a large potential market in EU, it’s important to be fully compliant.
Iit is a rabbit hole, and if you are not careful, it can suck a lot of resources and time. Depending on whether you have a strong EU base of customer and the risk, you may decide how far you want to go. I would recommend just starting with the privacy policy and DPA (Data Processing Agreement). For the DPA there are EU model clauses that you can use as a template, so you can just take those and avoid having to redraft or go under the privacy shield.
Perkins Coie has a good GDPR team