Hype vs Reality
Many companies already operate under stringent personal information requirements such HIPPA (US law protecting patient data and privacy) and the like. Basically, they have written procedures in place as to who, what, where, and why for accessing this information. And these procedures have been in place for many, many years. All GPDR really does is extend this to basically all companies operating in the EU to have similar procedures in place or potentially face some very significant fines.
I suspect much of the hype is coming marketing PHBs who are now finding themselves actually having to worry about protecting privileged information for the first time and not abusing it. Since many of these weasels (insulting weasels) have no ethics at all this is a real shock to them that someone actually cares. As someone who works in an industry with these requirements in place, welcome to the real world. An aside, when I was being interviewed I was basically asked if I had enough sense to keep my mouth shut when I needed to see live personal information.