This particular law is 88 pages full of duplicated terms, vague definitions and sometimes contradicting points. A very quick proof of that is the number of misunderstandings on so many points of it just in the comments of this topic - e.g. "do you need a DPO?", "do you need two separate people to avoid CoI?", "does the DPO need to be EU resident?". There are hardly two people with the same interpretation. And if people on HN have a horrible grasp of GDPR, how would an Average Joe be able to understand it idependently?
The only thing certain are the insane crippling fines.
It is extremely naive to believe you don't need a lawyer for that. You do - the same way as in some of EU's less market-oriented countries, after a VAT reg you need a registered accountant.
Well, the difference is that theft is a natural law. We are born with an instinct it is wrong.
Having a data processing officer in the EU for some definition of significant business is not a natural law and requires careful parsing of the legal text.
