It shouldn't be acceptable for startups, nor anyone else, to play fast and loose with personal data, just as it isn't with financial data.
Unless your business model revolves around usage of personal data, in which case GDPR is a very useful set of minimum baseline requirements for handling the data, compliance is fairly trivial.
Unless your business model revolves around usage of personal data, in which case GDPR is a very useful set of minimum baseline requirements for handling the data, compliance is fairly trivial.