Do your company collect data over the sexual orientation of your employees, then check with a lawyer. If you are collecting the name, contact information, work phone number, banking information, personal identification, then all those are covered under the legitimate interest of job description, salary, and legally required insurance policies. HR policies which does not involve job description, does not involve salaries, and does not involve legally required policies such as insurance might require GDPR.
Logs containing IP addresses is exempted from GDPR for anything related to security. Processing the logs for purposes other than security require the complexity of GDPR handling. It is the purpose that define the complexity, not the logs.
PII is defined so broadly, but so is also its exceptions. Employers has to first know a bunch tax law and employment regulations related to employing people, and those do require specific legal documentation on impact analysis that must be kept up-to-date. People who do not do this can not employ people, or risk breaking the law (especially tax law).
Technically they fall under Recital 49 of the GDPR with the unofficial title of "overriding legitimate interest", and is not under the general paragraphs of legitimate interest. Security is explicit and spelled out in the regulation.
(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.
Logs containing IP addresses is exempted from GDPR for anything related to security. Processing the logs for purposes other than security require the complexity of GDPR handling. It is the purpose that define the complexity, not the logs.
PII is defined so broadly, but so is also its exceptions. Employers has to first know a bunch tax law and employment regulations related to employing people, and those do require specific legal documentation on impact analysis that must be kept up-to-date. People who do not do this can not employ people, or risk breaking the law (especially tax law).