There is nothing wrong in being confused about data compliance but you have got to get to grips with it. Our Little Book of IT provides some insight and has been featured in Fintech Finance. While the article discusses the issues. I've offered up the top areas to focus on from a DR compliance perspective.
1) Identify personal data. Pseudonymize and encrypt it. Ensure the personal data is separate from the metric data etc.
2) Protection: Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
3) Have the capability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
4) Ensure there is a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for the security of data processing.
Beyond this you will need to ensure that where you store and process data is both compliant and efficient to use / access and that could mean having more of your data and processing local to your clusters of customers. The implications of which could trigger a rethink of your data center and cloud locations. Can you implement that faster using service providers or plan, build and maintain on-prem facilities?
The Little Book of IT study found that in the UK, 30 percent of business respondents who classified their security technology as “fully implemented/integrated,” reported that no security improvements could be made.