This pretty much. I've had a lot to do with GDPR in the projects I'm involved with. It's largely trivial if you aren't already doing terribly risky things, in which case yeah, it's a pain, but it doesn't change the necessity of fixing issues that put user private data at risk (with or without the GDPR existing). GDPR just puts more incentive on solving issues in regards to privacy instead of just letting companies shrug and move on because it's not their problem if data is stolen or leaked or letting them do what they want with the data without permission.