Compliance with the UK GDPR is required. If you process personal data of subjects outside the UK it must meet the other countries' regulations and legislation. Policies and procedures should be in place and in use to mitigate risks to personal data.
Employees should be informed of their security obligations and responsibilities immediately after employment.
Security policies should be distributed to all employees and form part of their contractual obligations. Your suppliers should meet a set of security requirements you have defined around handling personal data.
Monitoring should help identify suspicious activity on your systems. It is required to track and monitor business systems and processes according to your information safety policies to ensure compliance.
These procedures should ensure that any incidents (loss of data, phishing attacks etc.) are dealt with successfully or to the best of your ability.