Metadata, role-based access control is simple to maintain, very expressive and it works dynamically.
Classical Access Control Lists (ACL) systems, like the one in Alfresco, are powerful for fine grained access control, but cumbersome to maintain and too simple in expressiveness. There is no decent support of AND, OR, NOT type of access rules. Adding an additional protection layer for GDPR would require reviewing your ACL inheritance and creating an additional (oh no, not again) number of Active Directory groups to express privacy constraints.
Download the whitepaper and discover how does that fit with the new GDPR regulations.