Re: Still trying to figure it out
"My issue is precisely what I said in my comment: there seems to be a lack of specifics."
Of course there's a lack of specifics. The ICO don't know what sort of business you run or what sort of data you hold so how can they give you specific advice in their notes?
Start with the section on principles of data protection. Look at them in the light of your business and your data. You have two choices: knuckle down and do it yourself or get someone in to do it for you.
It's not legal advice but in your position this is how I, personally, would start, YMMV:
1. Do an audit of the various PII data holdings in your business including who owns them,. Who owns them will probably be the manager of the department which uses the data. Establishing the owner is important because it will be they who higher management or the board will depend on to ensure compliance. (Anyone from BT who got lumbered with Argent a couple of decades ago will remember this one.) The data sets you'll need to look at aren't just customer data, they'll include supplier data (your people almost certainly have contact lists), HR and any data your business processes on behalf of others.
2. One of the many things I disliked about ISO9000 back in the day was that although it documented what you did it omitted why you did it. Why you do things is as important to document as what you do. You start doing this now.
Go through the lists you've collected and document why your business collects and holds such data, how long you should hold it and the reasons for that length. The sorts of reasons might include practical - what you need to deliver goods and/or services - regulatory, statutory or contractual.
This is where you might need guidance but the guidance isn't going to be from some self-certified GDPR expert. If, for instance, you need to know what and for how long you need to hold stuff as an audit trail the person to ask is an accountant who can cite HMRC or whoever's rules to you. And make a note of the rules cited. Similar considerations apply to industry specific legislation or regulation.
If need be take professional help outside of your business, especially if the internal advice is from someone who you think is playing safe and saying "keep everything": keeping everything might not be safe under GDPR. You might need a budget for fees for that. If you don't have one then ask. Document asking. If you don't get, document that. CYA.
You might need to document down to column level if the need arises. You won't need to document the reason for each element of an address but if there's a column for gender you will certainly need to document why your business thinks it needs that.
3. Go through your documentation and decide whether the reasons are valid, whether the durations for which you hold data are valid etc.
4. Write out what needs to be done to eliminate the discrepancies thrown up in 3 and policies to say how this has to be done in future. As far as possible agree this with the data owner
5. Present this, quoting your documentation, to higher authority. Write up reactions. You may need to be circumspect: say something like "In view $stuff I recommended $recommendation but $data owner responded $response. This was submitted to $bigwig who decided $whatever on behalf of the business". CYA.
Why do I say have it all formally written down? You're trying to protect your company but also yourself. Hopefully the two will amount to the same thing but if they don't ensure your're protected. Proceed as if you might, at some point, have to defend your company or yourself against an ICO investigator or, worst case, in court. Having it documented will show that even if some decisions weren't right, you'd made a genuine effort to find out what you thought you should be doing and why and by whom the actual decision was taken. If you can show that everything was done with the best of intentions but some of it was wrong you're more likely to avoid a penalty and have it sorted out courteously if not affably with the ICO without it ever coming to court. And having it written down contemporaneously will go down much better than having it obviously cobbled together yesterday.