GDPR is harder than that, there is a bunch of legal stuff and having to have someone legally responsible to follow the more vague parts of the GDPR.
GDPR is not just "not exploiting their personal data for commercial gain" but a lot of busy work with massive fines if you make any mistakes. How is most community forums going to work with that?
If I don't collect any PII, even to the point of not bothering with analytics, and the only cookies I use are for auth or other absolutely necessary functionality, are there GDPR rules I need to worry about?
No. Various 'consultancies' will tell you otherwise, but the only thing you really need to provide is a chance for users to delete their data. Ideally also an option to extract/download it, but I don't think anyone has ever really been hassled for that.
Contrary to all the BS the tech lobby says, you don't even have to have a cookie banner today I'd you don't collect datat beyond what is technically needed.
Fines are proportional to turnover, and you don't get fined if you don't have any turnover. People are very scared of GDPR in a way that doesn't reflect the actual enforcement!
You do have to avoid leaking, though; it's effectively a requirement to do information security.
GDPR is not just "not exploiting their personal data for commercial gain" but a lot of busy work with massive fines if you make any mistakes. How is most community forums going to work with that?