Re: re:'Personally identfiable information'
Hence, GDPR is a good gig to get into.
Definitely this. I receive a large number of inane sales contacts about training, tools and other junk vaguely associatable with GDPR. Most of them know nothing about it, the training companies are there to promote training(therefore the courses are almost all doom and gloom with few "facts", many of which are incorrect and seem to be designed to promote further training and services provided by the vendor of the training.
If you're concerned, which you should be to some extent, then download and read the GDPR. It's a bit dry as all legalise documents are, but it is readable and understandable and you'll find that the reality is quite different to the scare mongering that's going on that's lead by the training and tools pushers who most stand to benefit from it.
One of the most important aspects that you need to know is that consent for incidental data collection can no longer be opt-out and that consent must be explicit, therefore no more "tick this to opt out of our shitty newsletter" or "untick this otherwise we'll send your details to our 'partners'". However if the collection of the data is for genuine operational purposes then as long as you can justify this you are welcome to collect it as long as you don't disperse this data (unless explicitly agreed to). In short, define what you need to do and collect the data for that and record and justify this.
The rules about automated processing are interesting however the clauses reduce the restrictions to sensible levels.
The rules about a "request to be deleted" are fine, however get operationally interesting quickly. Many organisations will need to record that an individual has requested to be deleted (because otherwise they may be contacted incidentally otherwise), many organisations have very genuine operational reasons for retaining historical data (restrictions on which do not apply to the deceased) and then there's the practical aspect of genuinely deleting all references to an individual - in theory if this individual is recorded in a backup tape somewhere then they would have to be removed from these as well.
The rules about ensuring that data is accurate are of note but the FUD being spread is ridiculous. Nowhere in the GDPR does it mandate contacting, by post, all data subjects once a year to check that their details are correct, all it states is that reasonable endeavours must be applied to ensure that the data is accurate. What these reasonable endeavours may be depend entirely on the situation, the source of the data and the importance of the processing.