Dependent on what type of data you collect or the volume, you may also be required by law to appoint a Data Protection Officer to advise on your Data Privacy Framework, Staff GDPR Training and help carry out Data Protection Impact Assessments.
The role of the Data Protection Officer is to also carry out an annual GDPR Compliance Audit on the organisation and presenting this to the board of directors.
As a retail or online business you will be collecting card payments and you must comply with PCI:DSS which is the worldwide Payment Card Industry Data Security Standard this was initiated to help businesses process card payments securely and reduce card fraud. This is achieved through enforcing tight controls surrounding the storage, transmission and processing of cardholder data that businesses handle. PCI:DSS is intended to protect sensitive cardholder data.