Please answer these questions

Do you call your clients, suppliers or employees sometimes with your (mobile) phone?

Do you sometimes send e-mails to your clients, suppliers or employees?

Are you collecting first and last names?

Do you collect e-mail addresses?

Do you collect physical addresses (like street, city and country)?

Do you collect health information

Do you collect financial information?

Do you collect social information?

Do you process credit card payments?

Do you process shipment information?

Do you process personal documents (passports, identity cards, loyalty programs)?

Have you been hacked before?

Do you know if you have been hacked?

Do you know if data has been stolen from you?

Do you know who to contact in case of a data breach?

Do you send out newsletters?

Do those people have given their explicit consent to be sent your newsletter?

Do you use cloud services like G Suite by Google?

Do you use cloud services like Dropbox?

Do you use cloud services like Office356?

Do you use cloud services like SalesForce?

Do you use cloud services like GitHub?

If you have answered "yes" to any of above services, have you shared screenshots, data dumps (spreadsheet, db dump) on that service?

Is your application secured and can you prove this with an external audit report?

Do you log who has access to your data and when?

Do you prevent employees to access some or all of your personal data?

Is personal data stored on encrypted storage?

Do you share your data with 3rd-party suppliers?

Can non-employees access your computers and your data?

Do you have encrypted your backups?