Everyone did substantial work. But the net effect was making binders of policy and PowerPoint presentations. It’s an “impress a regulator” scheme. Not a hard requirements test, nor a private liability one.

Many companies invested a lot of time.

But from what I have seen, most of that time was spent on the legal and policy site, not on actually implementing the technical changes required to properly handle, store and delete data.

I can absolutely guarantee you that the overwhelming majority EU companies could not properly carry out a GDPR deletion request.