The simplest thing that IMHO can be done for GDPR is to inactivate a user who wants its data removed and implement ACL's that prevent any ServiceNow user to see/use the "inactive" user records. Have to ask the legal department if this is legally adequate enough as fulfillment of an individual's request to remove his/her personal employee data from ServiceNow.

If SysAdmins shall apply GDPR policies digitally then ServiceNow SysAdmins also may have a couple of other challenges:

1. For some policies and legislation's (even for GDPR itself) companies need to track/retain who has done/reported/approved things. Removing employee/user details for GDPR reasons on request of an individual, will likely cause other compliance issues and possibly SOX defects.
2. Any company that imports its ServiceNow user profiles from an external source   (and who doesn't?) will have to remove the user data from the staging tables, data sources and transform logs as well upon request. The interesting thing; this source data is not yet linked to user records.in ServiceNow.
3. Most companies have record-update-logging activated on the master data tables. If personal data is updated/emptied, anyone can reverse engineer the original data via the history log. I.e.there will always be a trace (if only in the SQL DB transaction log) of the original data.
4. If you have performance analytics turned on on attributes in the sys_user table (e.g. how many active profiles do we have an a given day), the snapshots will probably contain a copy of portions of the historic records in the sys_user table..
5. Deleting users from sys_user table may make integrations with OKTA or AD think that the user does not yet exist and needs to be (re-)created in ServiceNow.. I.e. one needs to ensure that the source no longer provides the data and/or ensure that the user profile is no longer re-created in servicenow
6. Inbound and outbound emails to/from a user who wants to dissapear from the ServiceNow radar could be tricky.
7. In the ServiceNow logs, Admins can see from which IP address a user was doing what. Are we really supposed to remove those records upon request?
8. Events and Alarms will probably contain reference to usernames, ip addresses in the event/alarm body.
9. If an employee looses his phone/laptop then this will likely be registered as incident in Servicenow. Do we need to delete this incident upon request as well?
10. Blessed be the ones who have ETL's and a huge on-premise data lake with ServiceNow data ;-).Cursed be the ones who store attachments with personal data in ServiceNow (i.e. email with a change approval which includes the users email signature....Screenshot with personal data attached to an incident?)

Interesting enough: Everybody who uses ServiceNow with one or more users in Europe will have the same GDPR challenges. Wouldn't it make sense ServiceNow comes up with a GDPR release before May 2018 which addresses all issues with personal data in ServiceNow for all ServiceNow customers?.

btw: Has anybody considered implementing a GDPR Data Register in ServiceNow? Which risk is considered bigger? Having a proper Data Register in ServiceNow describing exactly which personal information may be found where OR the DPO not being able to timely process Data Privacy Breach due to not having an up-to-date data register in ServiceNow?