[anf]

Because he's lazy and thinks he'll get away with it. He'll come into compliance after penalties outweigh the costs of changing the way he does business. This is probably the reaction of the vast majority of folks dealing with customer data, and not at all unexpected — they have a business to run, and costs to customer privacy are an externality being rolled into their costs via regulation.

[orwin]

Also, this is one of the sane solution if he know he has not that much user data. First fines will not be high or won't happen at all, and he will receive advice and even help from regulatory instances if he is ever reported.

If every business owner commenting those GDPR post on HN could act the same and not like headless chicken, discussions would be more healthy.