"> Do you have any PII/Sensitive data flowing through the
service?
While this question is important, this is one of the
problems that has to be a particular person's
responsibility. Any dev that answers anything but
"probably not, but I don't know" shouldn't be trusted."
GDPR makes it the responsibility of the organisation to know. You can't safely say "I don't know" about PII.
And if an organization wants to know, then they must make a single individual responsible. "Organizational responsibility" means that no one is responsible.
It is important to have one person know the answer, rather than making your devs "guess" the answer. "The devs we asked said there wasn't misuse of PII" is not at all a good guarantee that PII is not abused or lost.
The organization cannot know unless there is an individual who knows.
GDPR makes it the responsibility of the organisation to know. You can't safely say "I don't know" about PII.