The new legislation, known as GDPR (General Data Protection Regulation), states that personal data can only be collected, stored and processed on a strictly need to know basis, and only for as long as needed. So, no collection of “nice to know” data and no keeping of data for purposes that may possibly occur in the future.
You will need to undertake a survey of what personal data you manage, make sure it’s legal, document it and make a plan on how to comply with the regulation. Then, update staff and data security procedures accordingly and make data processing agreements with applicable partners, such as IT providers.