GDPR is not a prohibition on selling personal data. It’s a prohibition on having and using personal data, unless the specific data and usage can be justified under one of the lawful bases. An army of lawyers is required to assess whether each code path and business process is truly covered under one of those bases, given how specific regulators are likely to interpret the subjective judgement calls embedded in the definitions of those bases (necessary, legitimate, reasonable, balanced, etc).