It is reasonable to assume overreach by governing bodies will occur; this is no less true for the EU than for any national government. The EU is no less likely to misuse that hammer, intentionally or not.
"It is reasonable to assume overreach by governing bodies will occur"
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.
Even then you probably won't. If it's an incident that happened despite of having taken the necessary precautions, you would probably get only a small fine or a warning.
These laws have been in place since 2016, they are going to start enforcing them starting the 25th. If you actually read anything about it from the source, it's clear it's setup against data abusers. It's not aimed at small businesses. If you don't do anything with user data, you don't even have to do anything. Like in the case of the OP. Aside from that, the EU doesn't have a history of overreaching/abusing power such as this. If this was US legislation your worries would be justified.
No its not as they now have regulations in place to prevent that, before GDPR you could. You can only be sued to the poor house from it if you do something like leave your patients health information on the bus.