From my understanding of the legislation, if you wish to make a record regarding someone then you must get their permission. If you don't want to get their permission then making records about another person is none of your business.
This is true only in relation to sensitive data (i.e. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, concerning health, sex life or sexual orientation etc.). Processing of other personal data, according to art. 6(1)(f) of GDPR, is allowed without consent of the data subject when "processing is necessary for the purposes of the legitimate interests
pursued by the controller or by a third party, except where such
interests are overridden by the interests or fundamental rights and
freedoms of the data subject". Taking into account that The Article 29 Working Party mentioned exercise of the right to freedom of expression or information, conventional direct marketing, and unsolicited non-commercial messages, including for political campaigns or charitable fundraising, as possibly being legitimate purposes of data processing (Opinion 06/2014, p. 25), it will likely be necessary for national supervisory authorities (aka departments of 'it depends') and courts, CJEU and other national and international bodies to determine whether and to what extent this provision is applicable to JW door-to-door ministry and similar activities (e.g., political canvassing).
The public should know that potential pedophiles are knocking on their doors and keeping records about their home and members of their family.
Preaching JWs are no more potential pedophiles than anyone's relatives, friends, neighbors etc. The org's mishandling of CSA doesn't justify portraying adherents of the religion as dangerous criminals and incitement of moral panic.