I initially felt the same way, but after actually reading through the GDPR materials, and a bit of Q&A on HN, I've come to the conclusion that it's a good thing.
It doesn't really place any burden on business - it simply means that you must be transparent with users about how you use their data, allow them to know what data you hold about them, and allow them to delete it if they wish.
As a consumer, as well as a founder, that seems very reasonable.
But the biggest real problem is that since the GDPR, read literally, is borderline draconian and the defence is that the regulators will enforce it selectively and pragmatically, literally no-one really knows how great that burden will be... which itself then becomes a significant burden.
I'm afraid I completely disagree, especially with "borderline draconian".
When I first heard about it, I was somewhat fearful of the unknown, imagining I was going to have to 'waste' time on 'checkbox compliance' - but after spending some time reading about it, I believe the intent is good, and also that the burden isn't going to be that big.
As a consumer, I absolutely want the GDPR - I believe I do have a right to know how my information will be used, to know exactly what is held, and to have it deleted if desired.
As a founder, I want to be responsible with personal data. And because I am, I'm already compliant with just about everything needed by the GDPR. I hardly expect a deluge of requests from users, so I don't even need to spend any time on automation.
Moreover, as a founder, I couldn't agree more with being responsible about working with personal data. We have always been careful about the data we collect and how we store and process it. But from what we have learned ourselves so far, we seem to have significant additional obligations under the GDPR (for example, being able to produce substantial amounts of formal documentation to the ICO on demand) that we would not currently be able to meet, and we might have other obligations that could be awkward (often related to the various subject requests now possible) but the implications aren't fully clear.
We also don't expect a huge deluge of requests from users. In fact, we've never had any under existing data protection rules. However, given that there several people have posted to HN recently saying that they'll be happy to send in large numbers of such requests when the GDPR comes into effect just to make a point, and unlike the current data protection rules in the UK there appears to be no provision for a token fee to deter such vexatious requests, we have to consider the possibility and at least have some intelligent way to respond, even if that just means knowing what our actual obligations would be if anyone did make such a request without doing any other work in advance.