Bureaucracy, compliance cost, uncertainty of enforcement... The category doesn't need to be the same, just the pile upon pile of anti-(small)business regulation.
You say "anti-business", I say "consumer rights" (and more importantly "human rights").
As a small business you can comply with the GDPR fairly easily unless you have no regard for anyone's privacy to begin with. And even if you're not 100% compliant you won't be insta-sued to bankruptcy, you'll only be reported and the relevant data protection agency will check on you. The GDPR encourages data protection agencies to help businesses fix their problems and only use fines as a last resort for gross violations and wilful negligence.
Unless you're storing/processing information that has special protections (e.g. religion, sexual orientation, medical data) the bureaucracy is also fairly tame, especially for small businesses, especially for businesses that aren't at their core based on processing personal information (e.g. not online dating startups).
Compare this with the "upload filter" as it has been interpreted in the media so far: allegedly every website that allows users to upload content would have to implement their own Content ID database and sign deals with publishing companies or license filtering services.
Oh, and by the way, as long as you show something to EU visitors (even an error page telling them to GTFO), you need a privacy policy.