Agreed. I do not think it applies. What is an issue tho, is that once an admin, you can see everything. Including information that you should only have access to under certain (monitored) conditions. Nethserver does not allow for that atm. I do not think it is useful to focus on that either at the moment. It is a nice to have tho.
Think of role-based access, where only in a certain proces you are allowed to access/alter certain info.
If there is no formal request for action X, you should not have access to the details you would need for action X. Being able to make an export of all users and their email addresses? An issue when those are customers.
Which exact issue are you trying to tackle ? If you are corporate, you will most likely use the Samba AD account provider, or an existing AD account provider. All administration should be done from within windows clients, bound by windows policies and access-rights based on best practices, given your demands. Likely there will be additional layers for proces based access thru centralized management software. Support will get an unlock button active when there is a ticket for it … in a non-mmc interface …
This can be done. Lock your servermanager with a 2 keys principle construct, and do as described above.
(You will not get around root usage for certain admin tasks … you will never get that past GDPR compliance without a whole bunch of paperwork to cover that scenario. The way the logs are organised will not get you there either, and the list is pretty long tbh. You will have to lock a lot down, and use other solutions like Elkstack to access sensitive data in a controlled fasion. It’s more of an adventure to guide a Linux based setup through GDPR compliance, without specialized management software)