The key change is the fairly explicit punishments and apparent intent to hand them out for non-compliance. A lot of older regulations get considered by companies but the issues relegated, officially or otherwise, to "yeah, we'll apologise and fix that when someone notices" which might not be a good way to manage the risk management after next Friday.
> ... might feel like "I run a small site on a Digital Ocean droplet and I'm at risk of a €2m fine out of the blue." But that doesn't make it true.
Exactly. A lot of the unhelpful hysteria is being drummed up by consulting companies trying to sell there services to help others assess and/or manage their GDPR compliance: they are stoking the fears to improve sales.
The rest is coming from people who don't want to lose control of some of what they consider to be _their_ data. From a business perspective this is usually "I've collected it or pad for it, I should be able to keep it / sell it / use it, this is unfair, wa waa waaaaaa" and from a technical perspective many of us data people have flinch reactions to any idea of hard-delete or un-rollback-able update operations (they are not really impossible to rollback of course, anyone sensible is building considerations for backup retention policies into their procedures, but rolling back is less likely to be simple and can only be done during that retention window).
It is possible to comply with GDPR in most cases with not too much of an effort (I know some processual stuff is just boring and ugly, but doable).
It is possible to not have a cookie wall of horror, if you "just" want to do tracking (analytics) or first party onsite marketing.
It will get more complicated with personalized recommendations, profiling and stuff. I have to admit this - especially with third party vendors and such - will be a little bit more fun/challenging.