I just want to roll my eyes when I see comments to the effect of, "Oh, it's so simple, just read the 80+ pages! The language is clear and straightforward, we promise! Also, you should have separated duties, full CI/CD that sanitizes any possible user data from leaving its hermetically sealed tier, and delete data early and often. If you don't, you'll be fined several tens of MegaEuros." The risk-reward ratio there is just insurmountably high for a small one- or two-person team.

I'm sure there are actually good parts of GDPR, and, hell, for all I know, the whole thing is the overarching achievement of Western civilization. But, unfortunately, reading 80 pages of dry foreign legalese when I'm not a lawyer is somewhere between a waste of time and a very bad idea (e.g. I think the regs are simple, make a mistake, then have huge legal liability). I will sadly be blocking the EU from any services I work on going forward until the point where I'm successful enough that I can actually have my lawyer look over everything.