Most mobile ISPs in the UK use Procera Networks (now Sandvine) products that do basic deep packet inspection to filter traffic.
You can allocate users to pools and provide contectivity based on the pool, ie allowing you to limit speeds of high usage users or have different filtering lists like this under 18s list.
With these devices you are able to block traffic to specific domains even if SSL is used with relative ease.
As it is done at network level, you can't bypass via different DNS provider, only vpns can bypass
Not an expert at all, but my basic understanding of GDPR is if you outsource a service to a 3rd party and they collect data or do any processing that they shouldn't, you are essentially responsible.