Saying you don’t need to worry about GDPR if you don’t keep PII is the “nothing to hide” argument. There is still a cost to demonstrating compliance that goes beyond complying.
Maybe an analogy will make it click: If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal.
Replace marijuana with "personal data" and imagine it is about websites with visitors within EU. If they're not storing, processing and/or transmitting personal data, there is no compliance requirements (from GDPR at least).
> If you have marijuana on you in a country where marijuana is illegal, then finding marijuana on you is illegal. If you don't have marijuana on you, you're not doing anything illegal
This is a good analogy. By making the marijuana illegal, you also implicitly widen search powers. You can’t arrest someone you think smells like weed if weed is legal. (Or answer a neighbor’s complaint that they suspect they’re growing weed.)
Same idea. If you say you aren’t storing personal data and I say you are, someone’s got the authority to check. Those checks and confirmations cost time and money. With a complain-investigate set-up like GDPR (and American securities law), the burden is on the respondent.
