[mikekchar]

Are you compliant with the copyright laws in your company? Are you sure you have licenses for all the software you use? Have you audited the software you write to ensure that none of the programmers have included code without an appropriate license? How about patents? Are you sure that the software you write does not infringe on patents somewhere? There are people who will happily audit your company in exchange for a truckload of money... For some reason, most people don't think this is necessary.

Your risk in GDPR is similar to your risk in IP law. If you don't comply with the law and someone calls you on it, you might have legal proceedings against you. In most cases it's pretty obvious if you are compliant with the law (Well, to be fair, it's completely unobvious if you are going to get randomly sued for patent infringement, but I digress...) If you are have a very complex situation, then maybe it is worth some legal advice, but it's pretty freaking obvious if you need the data you have collected in order to fulfil the contract or not.