The tracking is important, the tracing, nope.
As one who has literally built some of these "apps", thus the anonymous as it is still under security embargo, I have the real skinny on this. TL;DR; the UK app is being built by the usual committee of no-hopers and academics so is, of course, mostly bollocks. Political virtue signalling at its finest. I'd point out that those of us who really know are really not popular with these guys. Not academic enough. Not political enough. Might steal some budget that should be spent on stuffed-shirts.
So, from what we know, firstly tracing tells you little beyond "your family probably need to be tested and isolated". Everything else will immediately lead to a 100% population lockdown for the obvious reasons, so can be ignored, and is clearly a violation of privacy. So don't do it.
Tracking where you went can be fully and completely anonymised, and is available in scary detail via cell-tower ping and handover data. I'm guessing MI5 and co are desperately trying to avoid mentioning that they are tracking (and I speculate ever so slightly in the case of the UK) every single mobile device at all times, down to a 10m^2 area. Sometimes better with a bit of clever Kalman filtering and in heavily overlapping cells. But I digress. The point is, this data is available right now, and requires exactly zero things to be done to gather it.
All you need to do (heh) is get permission from the user to find out where they have been, to convert that "technical" data into useful data. GDPR covered.
To get the permission we can, I dunno, promise not to keep it (fantasy island I know, but bear with me).
You find out where they have been as coordinates for some historical period, e.g. 14 days.
You mark the coordinates as potentially on an infection trail, with modelling for how it remains infectious.
Then you erase the device data, thus erasing the GDPR problem as there is now no [direct] personalised data (I know I'm simplifying).
This is basically what South Korea did though they took the additional step of notfying anyone else who was in one of these hotspots, and perhaps not quite so hygienically.
See, no GDPR problems, no stupid interviews, location only, you could put it on a map (and we do!) and people can then request (giving permission!) to intersect their movements with the hotspots, and be given a risk assessment. Again, the identifying request data can be thrown away, and the useful aggregates kept.
This is good enough, proportional, privacy compliant, and works like a champ. Instead we have something obviously stupid, illegal and destined to fail. Full steam ahead!