No, the threat is having rules that are ambiguous and subject to interpretation by regulators with the power to at minimum cause serious disruption through a formal audit and at maximum impose fines that pose an existential threat to a small business.
And as I said elsewhere, if you think that threat is imaginary, please look at how many different national tax authorities have started large numbers of incorrect claims procedures against small businesses who had done nothing wrong just because the officials made mistakes with the new VAT rules and got their own records in a mess.
Access Controls, Data Classifications, and Privacy Impact Assessments requested by GDPR are not a threat.
That’s just security 101 basics.