In that sense, I personally give little weight to such nerdy, internal details.
I also remember well a German regulation from about a decade ago, forbidding to memorize IP addresses. What happened? Everybody ignored it (I worked for SAP back then, and they did of course), until authorities realized how stupid the idea was. I remember the panic back then, and nothing happened.
https://www.heise.de/newsticker/meldung ... 54157.html
Entrepreneur friendliness has a higher priority than publicly admitted (even in France lol). Some say it's likely the only binding force behind the EU.
Even in smaller scale there`re many little points to think oft, as you already mentioned:
- Privacy Police (mentioning all points of the specific website & tools/plugins which have anything to do with personal data processing and cookies)
- Checkboxes (+ link to privacy police) in contact forms and coment areas
but besides that...
You can`t have any soundcloud player any more as embedded on your website, because with it as embedded player/playlist, there will be automaticly soundcloud-based cookies working before the user even can say yes or no to the cookie, so not GDPR confirm.
Youtube videos embedded is also (through the cookie issue) not fully confirm with the GDPR, even with privacy setting used while generating the embedded shortcode.
(and with business focused on audio/music/sounds - soundcloud + youtube is a essential piece of the way how to demonstrate users your product)
You need to give the user the option to get a full report what data you have of him, through visiting your website + the option to erase all that data. Technically for many sites/systems not that easy to make in some days.
You also need contracts (in german called AD/ADV) with your host provider, google anaylstics for example, your newsletter service etc. Also "ironic" that many lawyers aren`t sure, based on the GDPR wording itself, if the necassary contracts have to be in paper form, or if its enough by completely digital form.
Cookie Notice is a must as well on your website (and it should not cover up/overlay the direct link to the privacy police page - if you use it for example in the footer)
Newsletter aswell is a big drawback for many companies, create a completely new pool, and ask all your previous subscribers if they want to join the new pool, because you can`t use the old pool after 25th may.
And in addition, depending on which system you use for your website, for some essential plugins like security, you have probably to wait till the last day for an essential update to make it GDPR confirm. For example, if it uses IPs to block unwanted guest or spam etcs...
+ combined with EU MOSS VAT... sometimes the thoughs migrate far away from the EU coming more often