Having read the document I can see that they make a case for the scenario that I mentioned to @timcliff in the comments here, that each witness might be considered their own data controller and also a processor. The situation is far from clear and as they say at the end, it may require a thorough technical analysis to be carried out to find out exactly how this fits within the legislation.
I really do think this should be undertaken by Steemit Inc. since it represents an existential threat to their entire business and they have significant enough funds, plus contacts to do it.. That said, it would be easily afforded by the top witnesses too.
A useful document, but we still lack a precise answer. :/
The way I read it, the document hints towards users storing their own identity information off-chain using IPFS nodes or similar, and probably arbitrary data not being kept on-chain at all - but I agree it's far from clear.
It would take a huge development effort to move all the arbitrary Steem data off-chain, and update the existing front-ends. Would you want to pay to find out that there was an asteroid heading for earth and there was nothing we could do about it? That said, there seems to be some chance that the launch of SMTs could actually help pivot towards this kind of architecture if we wanted.