My impression is that GDPR is actually pretty clear, but people involved in PI processing business have a strong cognitive dissonance about it. It's GDPR telling them "don't do that", vs. them thinking "I must do that, so GDPR is unclear on how can I do that".