"I actually would posit that almost all call-centre software should be illegal under GDPR because you have no need to actually KNOW what the customer's address / phone number actually are."
You're probably right. The problem is that the ICO is deliberately kept as nobbled as possible by the government, so their friends can thumb their noses at the law. Have you noticed that despite the egrarious breaches of privacy that go on, only a few actual enforcement actions get reported? They're the ones that are so extreme that they can't be ignored, or where the target can't lawyer up enough to fight the ICO off.