Not just the legal team. Every time there's new legislation like this, a new set of contractors pop up offering to walk your company through what it needs to do to be compliant. Nobody is quite sure what the limits are--and nobody will for several years until court precedents work out the issues--so those contractors are going to tell you to assume the worst case interpretation.
PCI Compliance (technically a contractual obligation rather than legal), Sarbanes-Oxley, and GDPR were good things, but all of them spawned a sub-industry of grifters.