[mi100hael]

> respond to that email in under quarter of an hour.

Let's take an app like Instagram as an example. Instagram had over 1 million users within two months and 10 million within a year, and no profits. You're running on a shoestring trying to keep servers online without any serious budget to speak of. It's probably you and a few friends/associates working closely together.

All of a sudden with GDPR, you have to pay a lawyer to help you understand what you need to do to comply with the regulations. You also have to spend engineering time developing solutions to enable the queries in that letter, enable purging records from long-term backups, etc. And people have to spend the 15 minutes responding to each request.

Now, let's say each request does only take 15 minutes like you suggest (which I find highly unlikely). If a small fraction like 0.5% of your customer base sends such a letter, then that's 50,000 letters. At 15 minutes each, that's 12,500 hours which is over 6 full-time employees. Many small business don't even have 6 employees to conduct the entirety of their business right now!

[annabellish]

If the concern is that business owners can no longer cut costs by being lax with people's data... isn't that the whole point of the GDPR? That we've collectively decided that letting people cut those costs is having too many negative concequences too often and that we need to stop?

[mi100hael]

There's a pretty wide chasm between "cutting costs" and "literally doubling your staff," the latter being a death knell for small businesses.