Do all your employees follow compliant processes?
Compliance lies in each of the processes that involve personal data. In addition to the inventory (read more under Elvium's 3rd GDPR tip) that serves to describe the just-in-case processes, it is important that all employees who handle personal data know what they do, how they do it and why they do it. This involves regular process training with employees in a way that makes it feel like a sensible, customer-friendly effort that everyone understands and cares about, rather than just a heavy burden. This could be agreements about who receives codes/passwords and how they are phased out/changed when people are hired/leave.
You need to create workflows that concentrate on protecting electronic data - not like now, where many workflows are essentially created from a time when data resided in physical archives.
In other words, it can be a significant change of habits and routines in all corners of the company, but at the same time it can be a convenient opportunity to top-tune the company to modern electronic sanity.
All process should be written into the employee handbook or IT security policy so that it can be presented for inspection at any opportunity.