> even though we are not any kind of data collection company
Are you collecting data on your customers? If you are, then one of the things your company does is data collection, even if that's not what's in your business plan.
We store enough identifying data to do business with our customers, we do not collect data for data's sake. Not for metrics, nor for ads, not to sell, etc.
The term "personally identifying information" does not occur anywhere in the text of GDPR; the regulations use the term "personal data", which is defined differently.
I raise this issue in almost every thread about GDPR, because although it might seem pedantic, the error strongly implies that people have not read or understood the legislation. The difference between personal data and personal identifiers is integral to GDPR and the legislation cannot be understood without fully understanding that distinction and the implications that follow from it.
Every company receives data about their customer, usually leaked by the customers themselves. How they handle it and what they choose to store / delete differs wildly.
Are you collecting data on your customers? If you are, then one of the things your company does is data collection, even if that's not what's in your business plan.