You will need to set policies and procedures for collecting data and storing it. You will also have to create the steps you’ll take when a data breach has been discovered. You’ll need to inform all employees and clients on how you’re collecting data, what you’re going to do with, how long you will keep it, how you will destroy it.
For example, if there is a data breach you will need to inform your local data protection authority with 72 hours. This is not say it will be solved in 3 days, but it must be reported after you have discovered it. You can then tell them this is what you’re now going to do to lessen the damage
If you have no policies and procedures, you are liable for up to €20 million or four per cent of your global turnover. It would be a good idea to have the developed and ready to go in case of a data breach.