An employee comment in the relevant merge request indicates that they are already knowing non-compliant with the GDPR. While I applaud their openness I wonder if this will comeback to bite them.
"This is because we suspect that we are not currently in compliance but cannot expressly call out the gaps until the DPIAs are complete. (Actually, by not having the DPIAs, we are, on our face, out of compliance with GDPR regulations.)"
