While i agree with your last 2 paragraphs i don't agree with the rest. I have a small team (2 fulltime devs and a designer) and we have no problem achieving GDPR compliance.
SaaS idea: I am a EU citizen and I will test that for every company that sends me a link to their website, by creating an account and then complaining to the Romanian authority that the site doesn't comply with the law.
