The EU deferred the application of the GDPR personal data rules for two years to allow organisations to make the necessary internal changes to reach compliance. The first, and possibly the most difficult, is to perceive what is stated in the title here; personal data belongs to the data subject.
Personal data, collected by you, is not owned by you.
Think of it as money. Less than one year from now, your organisation must be able to account for personal data in very close detail. You will be answerable to regulators and to the data subject for the personal data.
If you’re in a business or organisation preparing their GDPR compliance project, you are going to need to include a map of all the personal data you are storing (storage,in EU law, is a form of ‘processing’) , as well as the purpose for which it is stored. You’ll also need to be able to show that you have a legal basis for that use, even if you’re only storing it. The GDPR even requires that you keep an up-to-date register of all the data processing done in your organisation, for inspection by the regulator.
Unless you prepare, the very possession of personal data could be a breach of the GDPR data protection rules and, depending on the nature of that breach, its circumstances etc., the fine for a breach could be fatal for your organisation.
That is intended by the EU; under the GDPR, personal data is potentially commercially radioactive. The EU intends to send that message that if it is mishandled, you may go out of business. There are historical reasons (see, most of the 20th Century) why the EU takes the primacy of human dignity in data protection seriously. There’s no doubt that, with the coming into force of the General Data Protection Regulation, it intends that all the organisations doing business inside the EU take it just as seriously as well.