Due to the Personal Data Regulation, it is important to clarify whether you are a data controller or a data processor.
If you store and / or process personal data for others, you are categorized as a data processor. This means that you are not allowed to use the data for anything other than completing the task where you are a data controller.
There is a number of obligations that your organization needs to be compliant with when handling other people’s data. For instance you must have a written contract setting the framework for data processing - a data processing agreement - and you may only process data according to clear and documented instructions from the data controller.