It is not clear from your question if you refer to the company infrastructure concerning assets and organization or to the IT infrastructure. In general, there are different levels to consider from an infrastructure point of view.
The first of all is the privacy by design principle: you need that your infrastructure project considers GDPR requirements from the very beginning (what kind of data are going to be processed, for what purposes, how long data will be processed, who can access, how data will be secured). The Data Processing Impact Assessment process can help you to focus on specific GDPR requirements and design the infrastructure accordingly.
Then the privacy by default principle: your infrastructure should be settled considering GDPR requirement at its strictest. (i.e., setting data retention periods, defining the process to manage data subjects rights, following the data minimization principle which requires companies to collect and process only personal data which are necessary to reach the purpose for which had been collected). Internal policies and the registry of data processing will help you.
Adopting security measures refers to all the organizational and technical processes to ensure security. (i.e. internal policies on document access, on teleworking, on bringing your own device policies, or email security protocols, VPN, antivirus, antimalware, and so on.).
The GDPR leaves up to the controller the choice of the solutions which fit better to its own organization. The balance is among the state of the art, the costs, the kind of personal data involved, and the threat to individual’s rights and freedom arising from data processing which may differ from the brick and mortar shop to the marketing agency which monitors the behavior of customers and run targeted marketing campaigns.
Here you can find more information to start implementing GDPR: