You should prepare for a data breach, that is, a situation where you have not handled PII data according to GDPR.

Humans and automatic systems can make errors and use data where it should not be used. Have a process for data breach events so your organization knows what to do when that happens.

GDPR is applicable to all EU member states but it is enforced by a national data security authority in each member state. Contact your legal representative for specific questions, or your national authority for general questions regarding data breaches and penalties.