Re: Where does it all end?
I think this is going to be one of the big headaches. Say you're in a band that maintains a website where people can sign up to get email about forthcoming performances, new CD releases. Will you now have to put the whole GDPR infrastructure in place to allow people to (securely) log in and manage the PII you hold?
I can see a market for companies to provide "club sites" that look after this sort of thing, for a fee of course, much as eBay and Amazon Marketplace do for small traders. Some of those sites will be competently and securely run, but others will not. Fot those that are not, there's an opportunity for hackers to gain access to far more PII that would be put at risk by keeping a mailing list on your home PC, even though the latter could be a GDPR violation.