That's a fair assessment and in line with the proportionality of the costs associated with becoming compliant with the GDPR, it sounds as if the company you are working for is smack in the middle of the range where the turnover:compliance costs is at its worst. This is unfortunate but I don't see any way in which that could have been avoided. For trivial companies the cost is negligible because the costs are small or nil, for large companies the cost is negligible because their turnover is huge (unless they are misbehaving on purpose, then the cost might be very large), for companies in the middle it hurts the most but it is still worth doing it and doing it right for all the reasons you listed.
As for this part of your comment:
> If this law is "no big deal" or "so easy to implement" or any other version of the arguments proposed this week, it would not be causing so much concern. It's neither an unreasonable ask or a trivial one. People are being impacted in large ways.
It's no big deal if you already had a user centric approach to privacy, if that's novel then you will probably have to change lots of procedures and some software too in order to get things right, even so I've seen far worse from a compliance point of view, look into fintech or healthcare compliance for examples.