“Is this a data leak and should we contact their privacy officer?”
These are common questions now. GDPR changed a lot of things. The basic idea that you'd just send and receive any data you have that seems useful from a technical standpoint to third parties and see what you would actually end up using is gone. Step one is as you say: “do we really need this kind of data?”
“Did we do a PIA?”
“Is this a data leak and should we contact their privacy officer?”
These are common questions now. GDPR changed a lot of things. The basic idea that you'd just send and receive any data you have that seems useful from a technical standpoint to third parties and see what you would actually end up using is gone. Step one is as you say: “do we really need this kind of data?”