Wow, thank you so much for this detail. I love the nightmare letter! I'll mine your comments and try to distill into a few points that captures the important parts.
You should do a DevTo article about GDPR!
-- Added comments:
Here are three items I've distilled from your text:
Don't store sensitive data unless you truly need it. This means email addresses, personally identifying information and other personal information in general. Treat sensitive data like radioactive waste — i.e. there is an real, large and ongoing cost to securing it, and one day it can hurt you.
Keep a complete list of all the places you store sensitive information: databases, file systems, Dropbox, GitHub, Vault, Office docs and even the paper folder. This is useful to manage, required by GDPR and essential if hacked. You need to be able to locate all sensitive information.
If subject to GDPR, make sure you really understand the requirements and design it in from the start. For some, it will represent a major change in design and thinking. /Two links here/
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.