Last updated: Jun 19 2018
You should prepare for a data breach, that is, a situation where you have not handled PII data according to GDPR. Both humans and automatic system can make errors and use data where it should not have been used etc. Have a process in store for data breach events so your organization knows what to do when that happens.
GDPR is applicable to all EU member states but it is enforced by a national data security authority in each member state. Contact your legal representative for specific questions, or your national authority for general questions regarding data breaches and penalties.