While I understand the sentiment this might be risky. Creating the required documentation after the fact should your project take off might not be possible in every case.
However, the rules are vague enough to be interpreted in other ways as well. If some authority decides to make an example of pesky local startups for whatever reason there is little that prevents them from doing so. Remember, both the actual implementation and the enforcement of the regulation lies with the EU member countries, which even might decide to further devolve that responsibility to a local level.
Moreover, in the past similar regulations such as the legal notice requirement for websites in some EU member countries were abused by shady lawyers who specifically target small business that supposedly don't comply with these rules.
GDPR requires companies to use “state-of-the-art measures” to protect personal data, which is intentionally vague because the state of the art obviously changes over time.
However, who will decide what the state of the art actually is at any given time? Politicians, lawyers, competitors, actual IT experts? The latter don’t commonly work for either EU or local authorities.
Because the laws are implemented by each EU member state that state of the art might even differ depending on whether you’re located in, say, France or Germany.
I wouldn’t bother about documentation, but I would bother about thinking about the basics: do I need all this personal information? On what legitame basis am I collecting it? Am I storing it safely? Do I explain to people clearly how I’m using it, how they can see it, amend it or delete it?
Get the basics down, the documentation can follow. Get the basics wrong and it becomes painful.
I agree in that the major benefit of GDPR for small companies is that you have to review and perhaps revise your processes accordingly.
However, the documentation still is required. You can create some of that later or just in case you're requested to do so but as soon as third parties (i.e. data processors) are involved that might not be possible anymore.
At the very least you'll be very busy for a few days because such requests by relevant authorities will come attached with a somewhat tight deadline ("Please supply these documents within 2 weeks or else ...").
That's not correct. As soon as you want to do business with someone currently located in the EU (doesn't even have to be an EU citizen), GDPR applies, no matter where your company is located.
EU can write any law it wants. It cannot enforce it on anyone who is not have a nexus to EU.
Any hobby that gets to a point of making money in EU gets a nexus. Everything else is a FUD. Facebook, Google, Apple, etc all have nexus which is why it is applicable to them. JoeSchmoeLLC from Delaware does not.
I have quite enough to do to comply with my own country's laws, thank you very much. Where would this end? Would I eventually need to know the laws of every nation so that I can do what you feel is ethical? Or do I just follow other countries' laws if they make headlines or get talked about a lot? I'll be following the IDGAF process on this one.
If you don't want to do business with someone from another country you certainly don't have to comply with other countries' laws. If on the other hand you do sell a product or service to businesses or people abroad you have to comply with the relevant laws of their respective home countries.
That's not a new or GDPR-specific situation but rather has been the case since pretty much the beginning of international trade.