There are risks associated with non-compliance?
The GDPR applies to the controller – the entity that decides why and how to use personal data – and the processor – the entity that processes the personal data on behalf of the controller. The processor is jointly liable with the controller for the personal data it receives from the controller. This means that cloud service providers are subject to the GDPR if they process data on EU citizens, regardless of whether they provide a service to those individuals or not.
EU member state supervisory authorities have the discretionary authority to issue sanctions for non-compliance. For severe breaches, sanctions can result in fines of up to 4% of global revenue. Severe breaches can be triggered by infringement of data subject rights and of basic data protection principles, such as consent or data security, and by unlawful international data transfers.
An organisation can be fined up to 2% of global revenue simply for not having their records in order (article 28), not notifying their supervising authority about a breach (articles 31 & 32) or not conducting data protection impact assessments (article 33).
The GDPR is specific about personal data breach notification. It requires you to describe the breach in terms of its data category and the records and data subjects affected. In some cases it requires you to inform the data subjects and the supervisory authority.
What you need to do
To reach compliance, you must at least be able to demonstrate that you have a good data security policy and system in place, that you know where personal data is stored, whether it is shared, and how to can be accessed. You will also need a system to respond to data subject requests report breaches within 72 hours.