I took ten minutes to implement GDPR on a small ecommerce website: we deleted Google Analytics (HTTP logs and carts tracking is more than enough) and replaced Facebook widgets by a simple link. Newsletter was already opt-in only, we don't sell private data, and user account deletion was already possible.

That seems extraordinarily flippant.

I can't imagine giving up Google Analytics for http logs on a content-driven site.

GA is useless if you don't know how to use it.

I can't imagine giving it up either, but that's because we actually use it to produce useful insights, not just look at our traffic and referrers which is probably what most people use it for in aggregate.

Our advanced use of GA was cart tracking from first visit to payment. Reviewing our use of the tool, we determined that anonymous tracking of carts evolution was more than enough for our needs. That means a) almost same feature set as what was used before and b) no nagging cookie screen for our users unlike our competitors (really small and near-insignificant improvement in itself, I know, but our biggest competitor uses a TRUSTe cookie screen which blocks the full view and is quite slow)

Why would you give up on GA? You’re already not allowed to store personal data in it according to their TOS so (assuming you’re abiding by them) you can just leave it running.

By default GA stores IP addresses, so you need to get consent about storing this personal data. There's a flag you can set to tell Google you want no IP addresses in your data collection.

'user account deletion was already possible.' Do you not use backups? How was this done within 10 minutes?

GDPR doesn't say you have to purge backups. That's nonsense spread by people who have assumed it's stupid without reading it.

"The individual can be assured that their personal data will not be restored back to production systems (except in certain rare instances, e.g., the need to recover from a natural disaster or serious security breach). In such cases, the user’s personal data may be restored from backups, but the controller will take the necessary steps to honor the initial request and erase the primary instance of the data again."

It sounds like you need to erase the data again even if you used a backup. That means you need a separate database of the entries you deleted. So it's still unclear how that could be integrated within 10 minutes.

> It sounds like you need to erase the data again even if you used a backup. That means you need a separate database of the entries you deleted.

Which you would need anyway. What, you're gonna make previously-deleted users active again after a backup restore? Fixing references to deleted data from active data might be a little more work, but tombstoning the deleted users isn't hard.

I’m going to bet a huge portion of websites do not delete data again upon backup. It’s the simplest implementation. Data deletion usually does not matter to the flow of business unless in specific cases.

As long as the backups expire within a reasonable amount of time there's no problem with this.