need for GDPR guidance WRT peer DIDs

[dhh1128]

An old issue (openssi/peer-did-method-spec#42) tracked a place where the peer DID spec verbiage was a bit too confident about the intersection between peer DIDs and GDPR. Research shows that individuals using peer DIDs don't need to worry, but if orgs use peer DIDs, they may have the same kind of duty that they'd have if they received an email address from a customer. We should probably mention this somewhere.

Tagging @kdenhartog , who was tracking the old ticket.