Re: What about ex staff?
It amazes me that people are posting here without understanding the GDPR rules.
"right to be forgotten" applies only to data that are held because the data subject has consented.
It does not apply to data for which the organisation has (and has notified) another legal basis for processing the data.
Thus complying with a request to delete personal data is not as simple as deleting all that subject's personal data (or making it anonymous by deleting the subject's name from the master index as some have suggested); it requires deleting a subset of data held. That also means that maintaining a list of requests to remove personal data IS allowed, because it is necessary to allow audit to show that you have complied with the request (and hence complied with the law, should it come to that).