I have started to think that parts of GDPR should have been restricted to large companies - e.g. anyone with more than 100k active users, data describing 100k individuals, or an organization employing more than 100 employees. That would seem like a fair way to protect privacy while keeping barriers low for tech ventures / experiments.
If you do that then facebook and the other privacy terrorists will happily create 20000 little companies that they outsource their scum to. Also, a very small company with tens of thousands of datasets can still do terrible damage to people.
