This is also true, to some extent. You have to have valid reason to access PII (Personally Identifiable Information). All access is logged and the DPO (The Data Privacy Office, one of the good things GDPR formalized) monitors access on a regular basis.

And since the current understanding is that even the combination of an IP address and a timestamp is personally identifiable... many organizations are actively not collecting usage stats. Which leads to the abuse of public funds, but this is a different story.