"Supporting" the GDPR is basically following best practices for data security in any case, so if you aren't already doing it, then you or your users will likely get a nasty surprise in short order anyway.
That isn’t true though. If you are claiming that you don’t need a lawyer to go over the rules and you don’t need engineers to re-architect the system to be compliant, then you don’t have anything to lose in a lawsuit when you inevitably mess all of that up.
All laws are nuanced, just thinking that you are already doing the right thing isn’t enough to avoid legal liability.
All laws are nuanced, just thinking that you are already doing the right thing isn’t enough to avoid legal liability.