Well done Richard! This article and the guidance it contains goes to the heart of GDPR in my opinion. Those seeking definitive answers to their particular business scenarios are likely to be disappointed hence the need to take the GDPR default approach of risk assessing the business and its data requirements. There are no shortcuts to getting GDPR right.
There are safeguards in place should a contactless card be stolen. I recently had my card declined when trying to a contactless transaction. On enquiry with HSBC, they explained that there is a limit of £100 spend of continuous contactless transactions. Once this is reach the cardholder needs to a do a pin based transaction to reset the £100 limit. This is a good safeguard - I am sure this is offered by other providers, so worth exploring!