We’re a global company making enterprise software. We have all the certifications including really nasty ones like FedRAMP and HIPAA combined. GDPR is a walk in the park comparatively. I’m well aware of the details and deal with compliance on a nearly daily basis. The only justification was “just to be safe”, which is why they quickly acquiesced to storing the string “false” after pushback.