GDPR is intentionally obfuscated and made scary by people who have an interest in others thinking the regulation is onerous and silly (so that it is eventually changed/removed).

The regulation is not very hard to read, I would recommend you do it if you haven’t and boils down to: “don’t pass on (process) information without informed consent, if someone requests that you remove their account you should do so- and also don’t keep records around, and do your best not to let anyone access personal information”, the last one is technically unenforceable, but exists to prevent people leaving open access to data processors and bypassing consent more than anything else. A secondary benefit is that people take access controls a little more seriously by forcing breach disclosures.

Even the cookie banners are not needed unless you’re setting cookies for data collection, especially for third-parties!

There is a distinct irony in that all the online simplifications (“gdpr for dummies”, “the 7 things to comply with for gdpr”) are misleading and harder to read than the actual text of the regulation.

EDIT; I was foolish to post this during the peak time for US people. It feels like the Americans want the GDPR to be perceived as a pain.