I'm not sure whether you're agreeing or disagreeing with your parent comment, but I'm just tacking this on there because it feels right:

I think HN has just hit peak stupidity.

The amount of paranoia, misreading, misunderstanding, etc. about the GDPR is just insane (or intentional shilling, but let's not go all tin-foil-hatty prematurely).

Nobody who's doing anything even remotely above-board is panicking or anything of the sort. If you weren't already mostly complying with the GDPR (paperwork notwithstanding) your security practices and/or business practices were sloppy and/or dishonest and/or exploitative to begin with.

EDIT/Addendum: People who are not in the know are (somewhat understandably) a little bit nervous about "interpretation" and such, but there's a reason there's a "sliding scale" of potential penalties. Regulators don't tend to go for people/companies who are actually trying to do the right thing. They go for the people/companies who are the most egregious violators. (I hope I don't have to explain the reasoning behind this, but do ask if you're confused.)