GDPR is not as scary as the cottage industry of consultants would have you believe, but it does require you to make some decisions on purpose. Here are the things we keep coming back to.

1. Treat your tagging URL like product infrastructure. It is not a marketing toy. Put it on the same uptime monitoring as your checkout.
2. Use a custom domain from day one. Switching later is annoying and almost always loses some history.
3. Hash PII before it leaves your server. SHA-256 the email, normalise it first, and never log the plaintext.
4. Keep a written event taxonomy. It does not need to be elegant. It does need to exist somewhere people can find it.
5. Version your container changes. GTM gives you versions for free. Use them. Future-you will be grateful.
6. Test in preview mode for everything. Including the things you are sure work. Especially those.
7. Reconcile with backend data weekly. A small drift is normal. A growing drift is a fire.
8. Write down what you keep and for how long. Half of compliance is documentation. The other half is doing what the documentation says.

None of these are revolutionary. They are the boring habits that separate teams who trust their data from teams who argue about it. The teams who treat GDPR as a design constraint rather than a checklist tend to ship cleaner systems regardless of jurisdiction.