There is a ridiculous amount of material to read online and you can answer all those questions fully in about 30 minutes of searching and you could have relevant the policies written up by lunchtime.
> Do I have to search the weblogs for the users IP?
No, because you don't keep web logs with any PII in them longer then you have to, right? The time you need to keep them for is a legitimate interest that you need to be able to justify.
Do I have to search the mail servers for his emails - of all employees? What if he used multiple emails to communicate?
Write an Email Retention Policy, there are templates. Follow that.
Am I in breach if an ISP decides to route internet packets through the US?
Isn't it encrypted?
If I put people on CC in a mail, I am leaking everyone's email, probably without their consent - is that a breach?
You said it yourself: it's a data leak, so yes, it is (assuming this is some bulk email list). Depending on the sensitivity of the list, you may need to disclose the leak to the affected parties.
If you want to profit from being a data controller you really should already have done this homework, even before the GDPR and friends required it by law. A responsible company would already be taking care of it's customers' (and employee) data and at most just needs make sure the existing processes are documented. Demonstrably, companies don't do this, through laziness, incompetence or malice, and that's how we end up with these regulations. Just like how companies injuring people in unsafe workplaces is how you get H&S regulation.
And really all you have to do is just actually make a decent effort. If you find that extremely onerous it's usually because you actually want to use the data for something that you know deep down is not something the information owner would want you to use it for.
> Do I have to search the weblogs for the users IP?
No, because you don't keep web logs with any PII in them longer then you have to, right? The time you need to keep them for is a legitimate interest that you need to be able to justify.
Do I have to search the mail servers for his emails - of all employees? What if he used multiple emails to communicate?
Write an Email Retention Policy, there are templates. Follow that.
Am I in breach if an ISP decides to route internet packets through the US?
Isn't it encrypted?
If I put people on CC in a mail, I am leaking everyone's email, probably without their consent - is that a breach?
You said it yourself: it's a data leak, so yes, it is (assuming this is some bulk email list). Depending on the sensitivity of the list, you may need to disclose the leak to the affected parties.
If you want to profit from being a data controller you really should already have done this homework, even before the GDPR and friends required it by law. A responsible company would already be taking care of it's customers' (and employee) data and at most just needs make sure the existing processes are documented. Demonstrably, companies don't do this, through laziness, incompetence or malice, and that's how we end up with these regulations. Just like how companies injuring people in unsafe workplaces is how you get H&S regulation.
And really all you have to do is just actually make a decent effort. If you find that extremely onerous it's usually because you actually want to use the data for something that you know deep down is not something the information owner would want you to use it for.