Sounds like a broad blanket statement, have any specifics about this?

GDPR and cybersecurity laws are designed to be compatible, not mutually exclusive, but I'm sure there are edge-cases. Still, what exact situation did you find yourself in here in order to believe they're mutually exclusive?