I attended local seminar about GDPR by our accounting firm and their security and audit department.
Basically GDPR lays out common sense for security measures to protect the privacy of personall data of your customers. Plus you need to document who the consumer can contact for personal data (verification, correction or removal)
Adres information that you keep with the orders in the accounts is not sensitive data. If you start to profile and keep track of the age of their kids and stuff then you can become in the grey area of things. If you have a doctors practice with medical records that is a big difference from an ecommerce operation.
So you need to do common sense to ensure data theft is not possible (securing logins, pasword policy, no usb stick backups, servers behind lock). Make sure that (paper) processes are documented and paper records are destroyed so that private and sensitive personal data can not end up in the wrong hands. Also in a bigger setting with sensitive data, staff should only have access to the (sensitive) data that they need to know. Eg the janitor should not be able to access medical records to be blunt about it ... :D
I personally think it is a good effort to raise the awareness, it is just peoples reaction is over the top if they don't understand the concept of sensitive data and overall risk mitigation.
Edit: big caveat, if you sell personal data then you are in trouble :D