You must list all kinds of data processing you perform, find the appropriate legal basis (and data retention duration, etc.), make sure you only gather data you need (data minimization), know to who you transfer data, make your services secure by default, monitor for unauthorized access, and tell affected people when there is a breach. Perhaps make a risk assessment, but it depends on the processing you do.
Yes, it's work. But quite frankly, I'm cool with a law that expects anyone who processes personal data to secure their service, to properly inform people, and holds them accountable.
Personal data has a very wide definition under GDPR:
>‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
An IP address, or an email address is personal data. Even a pseudonym or a session ID is personal data. Yes, having a log for security purposes (GDPR recital 49) captures personal data (even just access dates and requested URLs may be considered to be personal data). Yes, a comment section on a blog may capture personal data.
Once again, I'm fine with all of this. But ignoring GDPR by not capturing personal data is more complex that it might seem.
Spoken like a person who never even touched it even on a small project.
No cookies... so no language preferences. That is a profile cookie.
Right to erasure. What about invoices and orders? When can it be anonymous and when is it old enough to anonymize.
Do I get away with replacing personal data random data? Do I replace references to real people with 'anonymous person'? Will my sql constraints still work?
When I restore data from backup and someone has been anonymized in the meantime, what mechanism will be used to anonymize the user after restore?
Right to data portability. How much of the database and in what format?
> Right to erasure. What about invoices and orders? When can it be anonymous and when is it old enough to anonymize.
Invoices should typically fall under the “legal obligation” legal basis (article 6(1)c). See for how long the law requires you to keep them. In my country, it's 10 years.
>Do I get away with replacing personal data random data?
Yes, see WP216.
>Do I replace references to real people with 'anonymous person'? Will my sql constraints still work?
How do you do when someone deletes their account?
>When I restore data from backup and someone has been anonymized in the meantime, what mechanism will be used to anonymize the user after restore?
It's up to you to decide.
>Right to data portability. How much of the database and in what format?
The same as for a DSAR. As for the format, it's up to you to decide, provided it is a commonly used format.
I've also implemented GDPR. Of course it's complex, it's a continent wide law, how could it not be complicated?
But I still think that "don't track your users without their informed consent" is a good summary of the intention of the law.
And I would also say that's it's only really complex to implement if you were already tracking your users and now you need to change everything. If you weren't doing that, you'd probably find it remarkably easy to implement.