It is also recommended for users to harden the security on mobile devices using long passwords, and automatic deletion of phone data when there are several wrong passwords attempts. This will avoid thieves getting hold of double-authentication access code.
All users should set auto screen lock to decrease the risk of snooping from people that may be browsing the workplace. Here is a link that describes how this can be done on Windows based computers.
Here is a link to good article from PayPal about how GDPR affects anyone handling personal data from subjects in EU, and what steps to take.