Complying with GDPR by not taking data you do not need is easy.
Lawyers mainly worked on producing disinformation about it because confusing people made for better consulting fees, but especially once guidance on "legitimate use" filtered out from legalese, they kinda stopped having an angle
... unless what you actually want to do is to violate GDPR and trade in PII, then you need to lawyer up
It does not, because what falls under legitimate interest is also quite clearly described.
Is it necessary for performing the service to end user? Is it necessary to support technical or legal issues in providing the service? (Trading data with other entities, marketing, etc ARE NOT, logging, debugging, security/audit logs ARE).
Creating BS claims for "legitimate interest" like IAB does is just setting yourself for big fines for breaking the law.
Lawyers mainly worked on producing disinformation about it because confusing people made for better consulting fees, but especially once guidance on "legitimate use" filtered out from legalese, they kinda stopped having an angle
... unless what you actually want to do is to violate GDPR and trade in PII, then you need to lawyer up