It's not that hard for any competent organization: document what PII you store, who has access to it, and what you do with it. Also have an internal procedure to scramble someone's PII on request.
If you have a direct or indirect contractual relationship with the person whose PII you are storing, there is nothing more to do. If you don't, ask for permission and store the timestamp of the authorization.
I must say you really do make it sound simple, and I generally like it. I think the part where I struggle most are the details though.
> document what PII you store
that part seems doable, the hardest part here are probably figuring out what PII is, and then take care of numerous services logging IP addresses. That's PII, isnt it? What about IPs of phone calls over IP? Or phone numbers stored in phones of numerous employees? Do companies delete those, or is it not necessary?
> who has access to it
I personally try to self-host as much as possible with as little third-parties involved as possible. But I think here are edge cases too, a lot of people might not think about, such as time tracking tools, calendaring, accounting software etc. What happens if employees just use online tools the employer doesn't know about? I am sure it's defined, but it's not entirely clear to me
> what you do with it
that's probably the easiest part, if you do something with it you probably know it
> Also have an internal procedure to scramble someone's PII on request.
I think that sounds good. It's just not entirely clear to me what that procedure should look like? How deep do we go with that? I could be nitpicking and say that physically information can not be destroyed. What if a SQL Server uses MVCC and doesn't delete data but just marks it as such? What about event sourcing architectures with kafka that rely on keeping the data? Or how about backups? Probably no deletion needed, but how to handle cases where backups are restored and previously deleted data reappears? I just think a clear set of rules would be great here, and a lot of people like to oversimplify things (or me, overcomplicating things here, probably)
The answer to most of these is the same: companies have to show that they are making a reasonable, good faith attempt to comply. If they can show that they have policies, that they have processes to implement the policies, and that their users have read the policies, understand the processes, and are aware of their own responsibilities then there's a strong likelihood that they will not run afoul of the directive.
If you have a direct or indirect contractual relationship with the person whose PII you are storing, there is nothing more to do. If you don't, ask for permission and store the timestamp of the authorization.
That's all. Really it's that simple.