That's really interesting! Could you say more about the job-like aspects of having users? Do you have advice on infrastructure that could be built to make the job easier?
I'm currently working on my first-ever side project with user accounts, and now I'm wondering what I'm in for. :-)
For me it's about the moral responsibility. If people are trusting your site with their data, you have an obligation to keep it running, and to keep it secure. This is a big responsibility! Especially since over the long-term the vast majority of projects eventually cease to exist.
In addition to user PII responsibilities, you may also be responsible for user generated content depending on where you live. Both real users and bots will inevitably submit nefarious material on your servers.
The easy solution there is to just ban European users if it's just a hobby project and your concerned about that. Probably not the solution that GDPR would prefer.
That's not as easy a solution as it appears - the GDPR isn't the only piece of personal data legislation in the world. If your strategy is to keep track of all the places that place responsibilities on you for collecting personal data and reject users from those locations then, you need to be looking at every state in the USA (Californian citizens have a consitutional right to privacy), and many countries across the world have various data protection laws.
I'm currently working on my first-ever side project with user accounts, and now I'm wondering what I'm in for. :-)