Corporate lawyers tend to be …optimistic. And then management will put a risk calculation on top of that. As a result, most larger companies violate the GDPR. See the popular use of Google Analytics or Microsoft 365, for example, which are illegal in the EU, if you ask a DPA¹. Giving them a reality check is never a bad idea.
¹) https://www.imy.se/en/news/four-companies-must-stop-using-google-analytics/
https://news.itsfoss.com/microsoft-office-365-illegal-germany/