Disclaimer: I hope this fits the scope of this sub, if not please let me know where to post it instead.
So today our Privacy & Security team reached out and asked my team to implement the whole list of GDPR conformity measures: DPIA Assessment, data encryption, interfaces to request deletion of private data, etc.
It's true that we store business emailaddresses and usernames which obviously is private data. However, our applications is not exposed to the public. You can only connect to the db if you are behind the company's VPN. The front-end exposes a last_edit_by field for each record handled by our application.
Are they right in their interpretation of GDPR requirements? For me, that seems to be overkill considering it's internal use only. I'd suppose you could come up with a business justification to know who did what. Assuming they are right, would it make a difference if we stop storing Emailaddresses and usernames and only store nicknames or userIDs instead?