I do have a database of my customers which I carry on a laptop when I'm working. That laptop never leaves my sight.
If the laptop is opened by anyone other than myself, they have to know the Windows logon password.
Basic details, only, are kept; which includes various personal details - which *could* be of potential use to somebody else (fortunately, no bank or similar details). However, any given customer would only ever see their own personal details.
The database is downloaded to my home pc each evening (as a refresher and back up) and that pc is similarly logon protected. My 'office' is monitored in my absence by a webcam and associated security software recording.
All people actively on the database are aware of what their record contains and the associated protection that is applied to their data.
I just hope to goodness that all that would satisfy the powers that be!