[onion2k]

I found this regulation put too much burden on small businesses.

There's a very simple way around that problem - don't ask for your user's data.

The GDPR is about making sure you do your best to protect what they share with you. If they don't need to share anything then there is no burden on you to protect anything. In my opinion this is the ideal outcome. If you gather their data then there really should be a burden on you and your business to do the necessary work to make sure you've done at least the minimum to protect what they've shared, especially if you're profiting from that data.

[billconan]

Most websites ask for users' email used as the account name.

From what I have read on this topic, email address is considered a personal information.

> the necessary work to make sure you've done at least the minimum to protect what they've shared, > especially if you're profiting from that data.

The OP was willing to comply, she asked what "necessary work" means and how to define "minimum".

Also it seems to me that GDPR applies to non-profit sites.

[sheepmullet]

> Most websites ask for users' email used as the account name.

> email address is considered a personal information.

As another poster mentioned - just don't use email.

Or if you must then just make sure you only do the minimum you have to with it - e.g. Don't send it to a third party, have a way to delete it when a user wants to close their account (unless you have a good reason to keep it - e.g. to match to a financial transaction).

What's the difficulty?

GDPR shouldn't be a burden for a small business unless the business is in the personal data space.

[onion2k]

So what? Don't ask for an email address. Use an OAuth provider instead. Or let people use the server without signing up. Or assign users a random number as their log in.

There are plenty of options available if you don't want the "burden" of securing your users private data, but ignoring if isn't one of them any more. This is a good thing.