Good question. I imagine the thinking is, to prevent avoidable future problems. If the system can be designed to comply with GDPR, why not do so?

As opposed to deliberately ignoring the existence of GDPR and opening the door to whatever irritating enforcement actions may arise as a result. (I am presuming that ECAF can perform its functions while complying. If there were a trade-off between ECAF doing its job vs complying with GDPR, I'd probably take a different stance.)

In sum, why invite avoidable drama?