>Really if you can't established a way to recognise customers how can we (as customers) expect you to competently do 2FA and competently store data without losing it.
This is an insanely hard problem to do well. The recognition of customers is literally through which phishing attacks work. This is one of the most common avenues that people get access to systems and data they shouldn't. GDPR mandates that virtually every site needs to deal with this problem now.
Also, I'd say that reprieving all data on someone is not a trivial problem. Imagine you had a forum and somebody requests all of the data on them. However, another user has made a copy elsewhere on the forum with some notes about that user's personal data. Does the requester get access to that copy?
And now keep in mind that you complying is based on your understanding of a regulation that companies have spent millions on lawyers to figure out and still aren't entirely sure. And you have to follow this regardless how big or small your website or business is.
It's best effort. No regulator is going to fine you massively if you miss some data in an edge case like this. Worst case scenario, they'll tell you to do better in future.
I do see your point though, the intersection with phishing attacks is not something I'd considered in the context of GDPR.
However, as long as you provide a way for users with an account to download their data, you're 90% of the way towards compliance.
Again, unless you are FB or Google, the regulators will cut you some slack (just look at the lack of bankruptcies caused by GDPR).
Unless the text of the law is "the company shall try very hard (but if they miss a weird edge case they shall be merely sent a warning letter)", the GDPR allows selective enforcement. You note that it's already one rule for FB and Google, another for smaller companies. To what extent do you trust the courts to selectively apply the law in a sensible way, vs selectively applying the law in a harmful but legal way?
It's mostly the regulators who interpret the law and determine the remedies, as specified in the laws. In general, European regulators are aiming for compliance rather than fines, and I don't see that changing any time soon.
This is an insanely hard problem to do well. The recognition of customers is literally through which phishing attacks work. This is one of the most common avenues that people get access to systems and data they shouldn't. GDPR mandates that virtually every site needs to deal with this problem now.
Also, I'd say that reprieving all data on someone is not a trivial problem. Imagine you had a forum and somebody requests all of the data on them. However, another user has made a copy elsewhere on the forum with some notes about that user's personal data. Does the requester get access to that copy?
And now keep in mind that you complying is based on your understanding of a regulation that companies have spent millions on lawyers to figure out and still aren't entirely sure. And you have to follow this regardless how big or small your website or business is.