Hi, we are also in lengthy discussions with this topic -it really is a mindfield.
With regards to customer complaints, the key personnel responsible for collecting the customer's info (i.e. Technical/QA or sales/account manager / general company email) should restrict the access to the customer's personal information from other employees (so we ensure certain folders on the network are restricted access).
We have also created a risk assessment document which clearly lays out all the personal data we collate (we also specify which department so for us it would be the technical department) and list out all the documents/personal info you would keep (Medical questionnaires, customer complaints, supplier approval contact information, training documents) & for HR e.g. would be they keep Return to work forms, sick lines and other Very confidential info on staff. So you risk assess each area for the risk of exposure and how risky it would be if someone else was to obtain this personal information = so for example, the risk is higher for HR records such as sick notes being in the wrong hands than the risk of a customer complaint log which only specifies the customer name & address (no medical history or very personal information held).
This is how we are firstly approaching this and it is a good exercise to do, as it helps you think of all the documents you are actually keeping - as on a daily basis you do not step back to think about this all - or the consequences.
Also a good idea i think would be to conver the medical questionnaires onto paperless / ipads if possible - this prevents the actual medical questionnaires from sitting exposed at reception (especially if reception is un-manned) as other visitors could nosy through previous questionnaires if these are left sitting and not filed away.
If you have these paperless & use a tablet to record the info, it is then very secure, confidential to the relevant employee who requires this information (Technical manager - to assess if the visitor can enter the factory floor) & there is no risk of the paperwork getting into the wrong hands...
We are still learning more about the new law - and ensuring our teams are all receiving training on GDPR to ensure all are briefed on this & know what is expected of them. If we can be seen to be taking action and keeping the data safe, then it will all help towards compliance.
For BRC implementation - we do keep a log of all our customer complaints (electronic log) which is document controlled, and the log is only accessible by Technical team, and the key complaint information (excluding the customer details) are then cascaded around to the relevant teams when required (for weekly management meetings) so this helps us comply with BRC clause 3.10 - as long as you are recording the key info, investigating, RCA & documenting corrective actions and trending as required - you can keep the confidential customer info (address/details/name etc) in the 1 department - with the 1 key person in the company and keep access restricted. You obviously still require this information to get in touch with the customer so it is needed to an extent.
Also, you could send a privacy statement in relation to GDPR out to the customers to ensure they agree for us to use / keep their personal data & ensure they agree - this would help keep it all right - and if they ignore the statement / do not reply within a certain timeframe, then take this as acknowledgement of receipt and agreement.
A lot to think about, but I am sure with further training we will figure it all out.