re:'Personally identfiable information'
I think the guidance runs along the lines of "any piece of data that you hold that could identify an individual or could be combined with something else that you hold or could reasonably expect to have or gather that identifies an individual.
The data just has to be descriptive so saying "the ginger bloke that works in IT at XYZ company" could potentially identify an individual if there is no other ginger bloke in IT at that company. Under GDPR, this extends to things like IP addresses (called "online identifiers" I believe).
GDPR is going to be a bit of a nightmare for some, a pain for most and a cash-cow for others