The more cases like this I can point at, the less chance I have of any resistance to my "least privilege principle" processes.
Question: Why does the software allow blanket access to names and addresses of customers that he's not even dealing with?
I actually would posit that almost all call-centre software should be illegal under GDPR because you have no need to actually KNOW what the customer's address / phone number actually are. You just get put through to them by the system, and unless they ask you to change or confirm the address, you have no need to do so much as request it (via, say, a "Request" box on each database field), and so any blanket-requesting of customers would flag up under auditing rules, and any attempt to "mass export" the customer list would just fail and set off the flashing red lights.
Remember: If it's not REQUIRED for your job, you shouldn't have that access to that data. 99.9% of the times I've called up any utility companies, taken a call from suppliers, etc. there is literally zero need for them to personally have access to any of those details.
"Shall I ship it to you home address sir?"
A) "Yes please". Done. No need to do anything but "deliver".
B) "Hold on, I moved recently, which address do you have?". Call operative presses Request on the address, the grey box for address only gets filled out from the database, operative reads it out, confirms it. Done.
We honestly need to start designing systems around least-privilege (again) before the law catches on that it's own definitions require it.