It depends on what "personally identifiable" data that steemit.com stores. As I see it, they may be storing IP addresses, emails, phone numbers, location addresses (using bluetooth, gps on apps as stated in their privacy policy) and steem wallet addresses. Now using these a person can be personally identified and they should definitely beware of the new GDPR and update policies and procedures on how such information is stored anonymously for European users, better for all users.
And since they have a huge list of third parties they are saying may share such information with (which definitely includes export to regions outside the EU) , it is highly likely steemit.com will be sued in the near future given the market cap of steem these days and the worth of the site itself.