The Privacy API at present goes a long way to provide a means to report on the data that is "stored" by a plugin, however the GDPR refers to processing, rather than simply storage:

'processing' means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

At present there is no means (other than convention in READMEs etc) for a plugin to declare what processes it does with the personal information it holds.

Whilst this may be self-evident in some simple single-use cases, but a plugin may do multiple processes.

It would make sense for this information to be programatically declared via the Privacy API so that it can be easily enumerated by admins to be exposed in privacy policies.