[Kalium]

A couple of things stand out to me as potentially scary. First, the hard one-month timeline. For a brand new baby startup, a month is a lot of time and any distraction potentially killer.

Second, a list of everything across all types of storage in any and all systems stands out. Even large companies often lack the ability to search ZenDesk, Salesforce, email, AWS S3, and Slack logs all at once.

Third, there's a clause that asks quite specifically for a thorough list of any and all potential future plans. That's a lot, especially given how startups are subject to pivoting.

Fourth, the section about third parties is essentially asking for the outcome of a vendor assurance process. A lot of small companies can't pass a reasonable vendor assurance process. They often can't afford the time and assurance specialists to manage one for their vendors. Even large companies often have trouble maintaining the level of control required for thorough vendor assurance. The bit about legal reasoning implies the involvement of a lawyer as well.

Fifth, there's a strong implication that no matter what you might say in response, it's not going to be good enough. There's always something that can be pointed to as not enough.

With all of the above combined, I can see where some might view GDPR as intimidating and favoring big companies over small ones through sheer costs.