Our company drafts proposals for construction projects, and shares them with clients via the web. Each proposals gets its own web page and permalink. For the end-user's convenience, we want these pages to be viewable without requiring a login.
The web page for each proposal may display some personally identifiable information about the end-user, including name and (residential) address. The page also displays sensitive information, including loan terms and payments, the cost of the project, and a 3D diagram.
The name and address may be withheld, most people would recognize their house without needing their street address and name displayed.
The URLs of these pages will not be guessable, so our client information won't be trivially harvestable.
Would such a system violate GDPR?
Note: Internal data handling is already in compliance with GDPR, there are adequate physical and technical control, etc. I'm focusing on the "Click to view quote" portion, not a general audit of a system.
Note: I'm looking for state of the practice information, not specific legal advice. This is not the place for legal advice.