[oldcynic]

> the real problem was that nobody UNDERSTOOD what GDPR meant (including the legislators

There we have to disagree. It's not like this is something new and untried.

GDPR is a development from long-standing, and now very well understood, Data Protection. The legislation seems mainly intended to modernise some of the definitions and scope (eg adding biometrics to PII), catch some newer practices, and make very plain and explicit that it doesn't just apply to EU companies.

In 1996 and 97 in the run up to the 1998 Data Protection Directive I recall a couple of common confusions and misunderstandings. Nothing like the ridiculously poor and simply incorrect reporting we have for this.

Any large org should have been fully compliant with DPA for years. They have to add extra mechanisms for explicit opt-in or deletion and get a little less time to retrieve full data and can't charge. That doesn't seem to need a "behemoth of effort", but not to say it's necessarily entirely trivial.

In other words they survived DPA with no apparent effect, yet it's >80% of GDPR with the same definitions. No one should be iteratively fumbling toward an unclear target at all. Even reading the UK ICO's old guide to 1998 Data Protection from a few years ago gets you most of the way there including understanding personal data.