I understand your point, but as information security and privacy professional I don’t see how personally identifiable data makes a breakthrough happen. Anonymised or pseudonymised yes. Personally identifiable?!? Perhaps only if one wants to target me (for profit).

It’s the same as programmers testing their apps with live data - completely unnecessary. That’s what GDPR is about.