General Data Protection Regulation (GDPR)
Every organisation that is located in the EU or that is collecting, recording, organising, structuring, storing, adapting or altering, retrieving, concerned with consultation, using, transmitting, disseminating or otherwise making available, doing alignment or combination, restricting, erasing or destructioning personal data of people situated in the EU must comply with GDPR.
You have to comply with GDPR for a couple of reasons - not only because it's a law! Think of your financial costs in case you have to recover data. And consider your reputation because you are GDPR compliant - your clients really appreciate that they can trust you.
A data protection impact assessment (DPIA) is necessary if a type of your data processing might result in a high risk to the freedom and rights of natural persons.