[Silhouette]

Somewhat agreed but this seems to be a side-effect of companies trying to lawyer their way out of the law

Not necessarily. One of the main criticisms of the GDPR was that it was vague and ambiguous on several very important points, and in theory deferred to more concrete guidance from the national regulators, which in turn was then either inconsistent or absent in some of the most important areas anyway.

The GDPR penalty regime was also heavily stacked against smaller businesses: for a large business, the costs are capped at the 4% level, but for any business earning less than half a billion each year, the absolute cap takes precedence and means that a regulator can literally threaten the very existence of any business earning less than probably 100M.

In that environment, you need proper legal advice on interpretation and possibly, as absurd as it seems, just to show that you have made a serious, good faith attempt at compliance, as a preemptive defence if a regulator does subsequently take a different view to yours.