I completely agree, GDPR is definitely a more detailed ruleset than what I outlined, but from a data management superset perspective you would have the mechanisms and facilities to deal with the GDPR-specific rules anyway.
I've found that this is mostly a problem in organisations where data isn't managed, the government doesn't protect the people, or where some vague value is assigned to the data (so it does get stored, but when it leaks it is supposed to not have value and therefore do no damage). So looking at it from an "you will be managing it anyway" angle has worked well for me when trying to activate teams/units/orgs.
I've found that this is mostly a problem in organisations where data isn't managed, the government doesn't protect the people, or where some vague value is assigned to the data (so it does get stored, but when it leaks it is supposed to not have value and therefore do no damage). So looking at it from an "you will be managing it anyway" angle has worked well for me when trying to activate teams/units/orgs.