GDPR is a standardisation of pre-existing national rules within the EU member states, at the time including the UK’s Data Protection Act. When I was at university, one of the examples of the scope of the Data Protection Act was a barbershop which kept hand-written (no computer involved) records of customers, and one customer used the DPA to demand to see their records and then to have those records destroyed.