The compliance burden is proportional to the complexity of the architecture. You could have vast quantities of highly invasive personal data written to a monolithic RDBMS, and it would be simple matter of following foreign key relationships. Or you could have a very minimal set of entities & transactions actually collected from the customer via the edge, but propagated through so many microservices, queues, logs, warehouses, pipelines, and derived tables that it's infeasible to comprehensively trace all the scraps. The latter is more typical of a consumer internet company AFAICT.