[fyfy18]

If you are an adtech company who's primary business was selling personal information of users, then yes, of course GDPR will have had a big impact. Google has put a lot of effort into being GDPR compliant, so I'd assume a lot of busineses switched away from smaller competitors for that reason.

I run a small SaaS business, which doesn't do anything ethically questional with user data, and becoming compliant involved:

- writing a document on GDPR compliance

- changing a few settings so IPs aren't logged or are at least anonymised

- verifying log files aren't kept longer than needed and don't contain personal information that isn't needed

I don't even need a popup asking for users to give permission to store personal information, because I'm not doing anything that needs that.

[czzarr]

did you not get any requests for DPAs, additional certifications, etc?

[fyfy18]

You don't need to get any certifications to be compliant, it's not like PCI where you need to be certified by a third party. This site has a simple checklist of what you need to do to be compliant:

https://gdprchecklist.io/

Most of the actions you need to take are just respecting the user's privacy and being explicit about how their data is shared. If you use your laptop in a coffee shop you wouldn't expect the barista to stand behind you and watch what you are doing, then share that data with their colleagues and suppliers.

I'd say for a small company it's actually easier than a large company, as you have fewer processes that need to be changed. In my case it was a lot simpler to become compliant for this than VAT MOSS.

I haven't had any requests for data, so I don't have an automated way to export it yet, but if anyone requests it I can build it quickly.