The seventh principle of the GDPR regulations outline that you must have the appropriate security and measures in place to prevent personal data being accidentally or deliberately compromised.
Not all security breaches have such grave consequences. Many cause less serious embarrassment or inconvenience to the individuals concerned. Individuals are entitled to be protected from this kind of harm as well.
In practice, you need to be confident that your website is safe and that hackers aren't able to exploit it for their own gain, whether or not you collect data, or sell directly online.