Or, have scripts that you run against the database to obfuscate the data immediately after the restore.
+100 have done this in the past, not sure if this approach would be affected by GDPR though!
We do this too, esp for prod - to -dev environment refreshes.