You need to ensure that your organisation has an Information Security Policy in place together with the appropriate training, systems, controls and procedures to ensure that it is enacted, checked and works.
You need to assess all personal data held and determine the risk that it poses a risk in the event of a data breach and what sort of actions are required. Then for each risk level, there should be appropriate technical and organisational security in place to ameliorate the risk until you are confident the controls are sufficient to preserve the data integrity.
Any IT systems take knowledge, time and effort to develop and maintain – often requires specialist assistance as well.
Having said this, it is clear that the procedures and controls put in place need to match with the needs and controls of the organisation’s day to day activities. Ideally, they need to fit seamlessly with normal working processes, while being as inexpensive and automated as possible.
Many IT systems come with such controls in place (eg passwords to control access). The first thing to do is to create and use a strong Information Security Policy that lays out how your organisation wants to handle information security, who can be contacted internally for advice and responsibility as well as detailing the organisational and technical control measures that are to be used in combination with staff roles and responsibilities regarding all aspects of data use and breach.