Make a plan. Work the plan.
Start with creating a data map. Locate all the places you have data that includes personal data. What databases contain the data? What applications use the data? What file stores contain the data? Include data flow. Understand how the data flows into, through and possibly out of (such as to external data processors) the company.
From the map, work with a privacy expert to determine what requirements are applicable. Do a gap analysis. Once data is mapped, identify not only the safeguards in place, but also where they are missing. Prioritize the gaps based on risk. For example, if a database in a company contains health data, prioritize compliance over less sensitive data sets.
Do remediation. Take steps, based on the gap analysis prioritization, to meet compliance requirements.