Is it supposed to be enough to be compliant with the GDPR? If you have harvested data from Europe, you are not allowed to sell/transmit it without informing the concerned party. I feel that to become GDPR compliant this way, you also have to delete all data that may have come from european residents.