I think it is an important point about "many things will remain that way with GDPR because of necessity (ie: old invoices and transactions will continue to have your details)". Most people doing business have _very_ legitimate reasons for having sensitive data; invoices, charges, security, etc. all require having personally identifying and sensitive information, and GDPR recognizes that-- but what it means is that companies _will_ and _should_ have customer information. Just because it isn't sitting in their database to improve customer experience doesn't mean it won't be sitting in the billing department for accounting & auditing purposes. So GDPR doesn't actually change much about people having your data, just kind of shuffles it around.