The time of validity and how hard it might be to build a profile are not factors in whether or not this is legal under GDPR. Here's the actual text from GDPR on pseudonyms and synthetic keys of this type[1]
> The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person
So PII that has been pseudonymized (mapped to a gid in this case) is protected in exactly the same way as if it had not been if the pseudonymized data could be mapped to a natural person by the use of additional data. The pseudonym (gid) is itself also considered PII under gdpr.
[1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...
> The pseudonym (gid) is itself considered PII under GDPR.
I know of multiple systems that use a UID but throw away a user’s information, including the UID mapping, when the user leaves. This allows historic metrics to be retained without ever identifying a user who isn’t still using the system.
> The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person
So PII that has been pseudonymized (mapped to a gid in this case) is protected in exactly the same way as if it had not been if the pseudonymized data could be mapped to a natural person by the use of additional data. The pseudonym (gid) is itself also considered PII under gdpr. [1] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CEL...