Define "tech". I'm working on a tech company which does something novel and important and have no issue complying with the GDPR - I'm aware of what data I'm processing, and what third parties I'm integrating with. I don't store or process data in ways that aren't necessary for the use of my software. I make a copy of data that I need to keep for legal/liability audit purposes into a separate system, where there's a cron job which deletes it after it's unnecessary. Deleting a user's data is as simple as DELETE FROM users WHERE id = ?, and I'm happy to do that because it means one fewer user's data which might be accessed in a security breach. I don't need a GDPR consent dialog or a cookie popup, because I don't do anything which needs either of these - I don't have any cookies aside from a login cookie, and I don't process data in unnecessary ways. I have a document which specifies what data I store and what I use it for, from which I can derive a privacy policy.

So... define "tech". If you mean "adtech", say that.

To answer your edit - advertising does not imply individual user tracking without consent. There was and continues to be advertising without individual user tracking. There are also plenty of businesses that are able to start up without relying on advertising for income at all.

There's a cost to not having the GDPR - that of our individual privacy.

> So what do you do when you need to fix a bug and need logs and other information from users?

Due to the minimal privacy implications, logs which (a) only store the minimal personal information feasible, (b) are deleted after a short period of time, and (c) are accessed in order to fix bugs or provide requested support are covered under the legitimate interests basis, according to my country's regulator.

> How do you track all of that data on developer machines?

I don't, it doesn't wind up on developer machines, it never gets copied out of the system where it's stored - it can be viewed "in situ". For the vast majority of personal data in the vast majority of companies, you're allowed to assume that employees who have a reason to access it are not stealing it. If you get to a point where you're not one of these companies, you know about it, because you're already doing things like "hiring a lawyer to write our privacy policy".

> How does your system delete data from all backups?

I don't, but my policy will state how long backups are stored for as recommended by my regulator, and my process for restoring from them will involve deleting data which has been deleted for legal reasons since the backup - basically, "re-run the DELETE FROM query for everyone who's asked for their data to be deleted".

> Do you have an automated system a use can request all their data from?

Nope, but that isn't legally required by the GDPR - it's an operational efficiency if you're the sort of company that gets a lot of GDPR requests. Manual processing is fine and likely operationally efficient, as long as you know where personal data is stored in your system.

> How do you validate that they are who they say they are?

My intention is to respond with "you can verify your identity by logging in at https://X/login with your username and password and sending us your 'support code' from the settings page", handle password resets via email according to industry standard, and anything else I can respond with "we cannot verify your identity using the information you have provided" because, well, I don't hold other information I can verify people with.

> How sure are you that all your processes are legally enough?

Given that I am not an adtech company and have documentation showing that I am attempting to comply, I expect that my regulator will follow the approach they've taken so far, which is to notify me of a potential breach of the regulations and allow me to fix it before attempting to fine me. By the time I am in court I will have known about a potential breach of regulations for several months, including communication with the user and regulator, and will have had an opportunity to either fix the alleged issue or talk to a lawyer about it.

Europe has a fair chunk of tech, btw. SUSE's here, Spotify's here, Adyen's here, BlaBlaCar is here, there's a variety of food delivery companies which are generally being far more sustainably successful than their US-based counterparts, Skyscanner are here. TransferWise is here. The difference is that our companies largely have a business model from an early stage, and US companies don't, so they take up huge amounts of the market for a short period of time and then go bust.