This is a huge topic for discussion. I spent a good bit of time looking at GDPR stuff and can certainly give my opinion, but it will be in no way authoritative. The key pieces of architecture that are relevant to GDPR are where your data is and who has access.
Nodes share the data and the node providers could theoretically look into your canister and see the data. Typically you have an agreement with Amazon or Microsoft saying that they won’t do that and will be held liable for data breaches. These agreements allow you to tick certain boxes that say you’ve done your due diligence and that you have a plan for data protection. I don’t know if the IC has one of those, but I would imagine in the future it would be helpful for someone to organize the independent datacenters into some kind of shared entity that makes it easy for those vendors to make the same kind of assurances without having to sign 23 different agreements.
Official access can be programmed just like any other application, so as long as you follow GDPR best practices around logging and data access restrictions you should be fine.
The real question is what happens when a DAO is running a canister and there aren’t any entities to hold responsible for GDPR. That one is going to throw the regulators for a loop. I don’t have any answers and there is certainly room for bad actors to enter that space with mal-intent. It is going to be a fun ride and we’re all going to have to figure it out together.