I've been dealing with GDPR too at my workplace, it's pretty interesting and scary. They want corporations to protect peoples identity and personal information by enacting these incredible measures to diminish the possibility of data leakage, and there's heavy fines in case of a data breach happening. (And they happen somewhere everyday, most we don't even know)
The funny thing is that almost everything can be considered PII (Personally Identifiable Information), and thus have to be anonymized. I read an example just a few days ago of how a person's general location/timezone can be deduced by analyzing time stamps of web activity for example. And even us here all speaking in english, by language analysis through an AI agent somebody could deduce our origins, be it european, american, southern pacific, or probably with even more detail down to the country itself. If you start thinking about it you fall in a deep rabbit hole of which is pretty hard to get out of.

I think GDPR falls in the category of "killing a fly with a shotgun".