However, the rules are vague enough to be interpreted in other ways as well. If some authority decides to make an example of pesky local startups for whatever reason there is little that prevents them from doing so. Remember, both the actual implementation and the enforcement of the regulation lies with the EU member countries, which even might decide to further devolve that responsibility to a local level.
Moreover, in the past similar regulations such as the legal notice requirement for websites in some EU member countries were abused by shady lawyers who specifically target small business that supposedly don't comply with these rules.
GDPR requires companies to use “state-of-the-art measures” to protect personal data, which is intentionally vague because the state of the art obviously changes over time.
However, who will decide what the state of the art actually is at any given time? Politicians, lawyers, competitors, actual IT experts? The latter don’t commonly work for either EU or local authorities.
Because the laws are implemented by each EU member state that state of the art might even differ depending on whether you’re located in, say, France or Germany.
However, the rules are vague enough to be interpreted in other ways as well. If some authority decides to make an example of pesky local startups for whatever reason there is little that prevents them from doing so. Remember, both the actual implementation and the enforcement of the regulation lies with the EU member countries, which even might decide to further devolve that responsibility to a local level.
Moreover, in the past similar regulations such as the legal notice requirement for websites in some EU member countries were abused by shady lawyers who specifically target small business that supposedly don't comply with these rules.