I work for a big $company in the US. The lawyers are freaking. At this point we are simply documenting any use of Personally Identifiable Information, which in our case (since we don't store any) means providing a list of API endpoints at which such data enters and exits the system. It seems like a high CYA factor, but the company has deep pockets so wants to be safe. We have heard that phase 2 will be to provide on-demand data expungement, although again in my team we don't keep it to begin with.

It's keeping one poor bastard busy for a few days making a spreadsheet.