Companies will have a Chief Privacy Officer whose job is basically to provide oversight and, of course, absorb the risk. That person will probably be paid well.
I'm actually OK with that. We're always complaining that companies don't take security/privacy seriously because there's no incentive to do so. See e.g. the Equifax HN threads. Having a person in the C suite who'll end up in jail if the company seriously fucks up is, IMO, a net positive for the world.
That's exactly my hope. Only large companies benefit from such laws (including, potentially GDPR), other smaller ones get slowed down. With gdpr, many newspaper outlets stopped access from outside of the US.
I'm actually OK with that. We're always complaining that companies don't take security/privacy seriously because there's no incentive to do so. See e.g. the Equifax HN threads. Having a person in the C suite who'll end up in jail if the company seriously fucks up is, IMO, a net positive for the world.