If I understand the GDPR changes correctly then I don’t know if they should necessarily impact the choice much. Soon admins will be able to anonymise user keys and usernames along with associated personal data. This doesn’t change the fact that a username is already capable of being changed at any point, Going forward user key will only change when a user is anonymised, whereas username can change whenever an admin wishes in addition to when a user is anonymised. So the key is a remains the more reliable identifier.
Additionally new user key’s will not contain people’s names in the future, so you’re probably better off storing them since the less personal information you have to deal with the better.