You don't need a new employee, just someone who is assigned the task to deal with queries that come in. For a small start-up this is not likely to amount to many requests, and even then the requests from the public first go through the regulator. So many requests will be weeded out at that stage with the aim of reducing the burden on businesses, only requiring them to act when the regulator has identified a breach. At this point they have to fix it, if they don't fix it, or don't try to fix it (fizimg it is usually by deleting the customer data) then they are open to prosecution. If they fix it the regulator isn't then going to seek huge fines, they are aimed at non-compliance firms who have no intention of complying (e.g because it is their entire business model).
