It took my team six months to get our company GDPR-compliant, and that included hiring three external consultants with extensive knowledge of GDPR and its implementation across the various EU countries we did business in. We were a short-term car rental company, we did not earn money with user-tracking, advertising or selling user data. But we did process drivers licenses, user data, trip data. We had to re-write big parts of our car-tracking module because having it tied to the current driver (customer) automatically made it personal data, which can be requested on demand when the customer wants to. It also limited us on what we could log to our logging server and store in a database.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.
I can understand that an American company does not want to make such an investment when there is literally 0 added business value, as EU customers don't shop at that company.