(no title)

Nothing has to be automatic as far as the deletion requests go. It's fine for you to go through the db manually and grant a specific request within 30 days.

If you're big enough to get enough requests to not be able to handle the load, you can afford a couple of days of dev work.

It's mind boggling the amount of people who's interpretation of GDPR is overzealous (to the max) based on third party interpretations. Get to the source of it and you might find it's not that bad.

You're only in trouble if your business model actually relies on doing things to the data your users would not want you to do (which could be argued is for the better good).