The entire point of GDPR is that it creates a set of requirements, and allows you to make decisions in your professional judgement to fill those requirements. This is no different to how management in any software company will present business requirements for the software you are to make, and request that you decide the technical implementation. That's your job if you're a developer.

As long as you're confident enough in your PII solution to be willing to present it in front of other software developers who have been called as expert witnesses and declare that it meets the GDPR requirements, you can pick any "right way" you like to meet those requirements.

If you think it's an unreasonable burden to have to make PII handling solutions that are robust enough that you can honestly defend them in court if challenged, maybe you shouldn't be handling PII. Like, at all.

I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers. Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.

>I’m not confident in anything I’ve written ever to have it picked apart by a team of expert witness programmers.

Then you shouldn't be handling PII, any more than you should be handling credit card details, genetic information or military intelligence.

>Maybe that means I have no business working at a startup. Maybe we should think about the implications of that.

The EU has, and has decided that having seen the alternative, it would rather just not have the startups. I think that's a reasonable position to take.

> Maybe we should think about the implications of that.

A good thing because it means startups stop playing fast and loose with my data. These are just growing pains. In a few years, enough stuff will be written online about best practices to stay GDPR compliant. The new guys can follow that.