Software design

GDPR and microservices - implement functionality in each service or create separate gdpr-only services?

The company has 30 microservices that form one product. By post type, story, registration, etc. The code is partially common, due to the libraries, the storage is all different. And now it burned to become a jidipiar compliance. To do this, you need to do essentially the same actions in each turnip. Export of all-all user data, deletion of all user data, logging of deleted users.
They gave this mega task to one poor fellow. He started to do it, but howled from the amount of work, and from the need to deal with every turnip, and swear every time with new reviewers. Therefore, he puts forward the following plan: instead of integrating gdpr functionality into each microservice, he proposes to make a brother for each microservice, with access to the same storage, in which these same gdpr functions will be implemented and nothing more. That is, we will have user-api and gdpr-user-api, chat-api and gdpr-chat-api, search-api and gdpr-search-api, and so on.
Attention, question. Which approach is architecturally and according to best practices correct, and why?