zlacker

1.) That "if outsourcing, check compliance" part isn't trivial, though. Some suppliers still don't provide data processing agreements. For example, as of now it seems like I won't be able to use DocuSign for digitally signing contracts anymore because they seem to not understand what the new laws implies for them and consequently don't provide a DPA. The last time I checked competitors didn't do so either. It's good that companies have to check their processes for privacy compliance but if that disrupts a company's operations with no real remedy other than falling back to paper-based processes that's definitely a problem (admittedly in this case not one that could be solved by legislative bodies)

3.) No, unfortunately it isn't that easy. Some people - lawyers even - argue that merely someone contacting you via email or handing you a business card doesn't necessarily constitute legitimate interest on your part to process their contact data for the purpose of contacting them in the future. I disagree with that opinion but that people are even arguing about this shows that this isn't just business as usual.

5.) You could argue that this has the potential for breaking how the web has worked until now. If you now have to check for legal compliance first each time before merely linking to an external resource (because that might reveal the user's IP address) that simply doesn't scale. Linking to and drawing upon external resources arguably is what makes the web the web.