Any organisation who holds information that identifies a natural person has a legal obligation to provide appropriate data security for that data.
At minimum you need to inventory what data you hold, where it is held and what risk is associated with it, together with any mitigations you can apply to that risk.
So a minimal level of security should include least privilege access, access security, anti virus and antimalware up to date, on a system that is patched up to date. If this is on a device that is to be removed from your premises then it needs to be encrypted.
Yes that’s quite a minimum requirement to meet your minimum obligation.