Clients should appoint a Data Protection Officer no matter how big or small the company is. Under GDPR regulations there is a requirement to manage customer data responsibly and to keep it secure. In practical terms this means doing a review of the places that you store data like computers, email, databases, websites and on paper files. Having completed the review you should categorise the data into how sensitive it is and how long you should store it. You should then allocate a task to have the data further secured or deleted if its no longer relevant eg old customer orders. All of this should be outlined in a Data Protection Policy.