[aenario]

As a company/developer starting from scratch, there is really no complexity nor landmines : Do as you say, Say what you do, Give the user options.

You can offer the user the choice between targeted advertising or non-targeted. You can offer the user the choice between paid subscription or advertising.

Cant get enough users to pay or consent ? Then you did not find market-fit in the real world.

[xtracto]

Oh but GDPR is more than "don't do marketing". There´s stuff like "Right to be forgotten" that implementing controls for it would require a company starting from scratch to spend resources in "getting it right", and then you have things like backups, that may or may not fall in scope. And this is only one of the 8 rights that the GDPR provides.

[aenario]

First of all, it's not "don't do marketing", it's don't do "user-tracking-and-profiling based advertising". Marketing is so much more, like actual market research to provide a service users actually want.

You have to handle a "right to be forgotten" query within a month, surely this is enough time for one sysop to run a prepared query. If your database is so byzantine that you cant find all reference to a given customer, you are either google or in need of a new architect.

Backups do not need to be deleted immediately, they should however expires and be destroyed in accordance to your data retention policy (Say what you do, do as you say).