As the May 25th deadline approaches, many companies approach to this looks more and more like a dumpster fire, with project managers, lawyers, and vendors becoming increasingly hysterical.
What could have been a boon to privacy and security seems to have turned into something of an exercise in pointlessness and hiding skeletons in the closet by implementing technology quick-fixes flogged by vendors touting silver bullets.
I hate saying this, but start getting the basics right. If you don't understand what you have you can't ensure privacy or security - Implementing even the best controls on shaky ground is just going to add complexity, and potentially decrease the protection of your information (whether PII or just your own Intellectual Property). Encrypting databases when everyone is local admin on the database servers, everyone has access to all key material, and SQLi is the best documented means to access the data anyway isn't really helping, but just playing pretend and that is going to make us all look bad in the end.