[sjellis]

> what is happening instead is that small companies, starrups, etc. are getting fucked over by the sheer amount of "rules" they have to follow and implement

Nope. The GDPR is a European-style regulatory framework: it sets out principles and expects people to apply them in a reasonable and sensible way. The national regulating agencies are there to steer organisations into doing the right thing, rather than beating them up when they don't. I have literally telephoned the UK regulator and had a polite conversation when I needed a clarification of a particular point in their (most clearly written) online guidance.

The regulators do have strong powers so that large and well-funded companies can't just deploy lawyers to get away with things. Cambridge Analytica is one obvious case: they tried to play games with a GDPR regulator, and got a very hard smack-down.