You're acting like you know exactly how to comply with GDPR, while using the term "essentially" to admit that you don't know 100%. Meanwhile you're faulting someone who runs a non-profitable community project for expressing realistic fears over what the law could do to him, because he isn't sure what risk it lays on him.
I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.
The place I work does actually store personal data for a variety of reasons, and we also work for a bunch of other companies that do, and the path to GDPR compliance hasn't been painful. The biggest issue is, as you say, research, but if the sum of your data storage is an email address, a name, and a physical address, then you're hardly falling into any of the nuanced cases.
I'm not faulting the person, I'm just saying the response doesn't seem founded in firm reasoning, but in (self-admitted, by the link!) "I need to look into this but I haven't, so we're shutting down". This isn't a newsworthy event or "proof the GDPR ruins businesses".
Because looking into it takes time and effort? Even if he looks into it and finds ambiguity then, if he cares enough, he'd need to talk to lawyer, which may cost money.
> This isn't a newsworthy event or "proof the GDPR ruins businesses".
It is anecdote that complying to a far reaching and ambiguous law has real consequence.
> that we're not going to be a target while some of the ambiguities get worked out in courts.
I posited this to our counsel when discussing what to do about GDPR. He cautioned that he’s seen investigations start due to a nosey bureaucrat.
I don’t know if your product is public facing, but if it is, all it takes is a single sufficiently powerful government employee to get curious about your business and start asking questions.
Even if you’re not doing anything wrong, having to engage counsel to respond to the government could get pricey.
I've been running websites and doing IT for a long time. I've spent least 10 hours on my employer's dime reading about GDPR and trying to figure it out. There's a lot of ambiguity. We're in the US, we don't do a lot in Europe, so we're at less risk, and my conclusion was that we're small enough (while MUCH bigger than streelend) that we're not going to be a target while some of the ambiguities get worked out in courts. This poor guy has no protections.