If you don’t keep the records of your customers, you’d answer those requests in no time.

Aldi has become extremely succesfull without knowing their customer. Ikea probably the same.

Wrong. Even if I didn’t store anything besides absolutely necessary (does your product involve usernames or emails - bam, personal information) and was absolutely above board, it would take me hours to respond to this.

You see: you should have read the law before assuming that requesting this information from the user is legal. It had to be stored in one, single place. Therefore answering this question shouldn't take more than 5 minutes, if you have anticipated GDPR.

What about their employees? Aren't employees, or ex-employees, also entitled under GDPR to be informed about what personal data the company stores or processes? Honest question!

Of course, but they're entitled to this under pre-GDPR legislation as well, as I understand it.

I mean, if those records are being kept, it shouldn't be that hard to make them easily user-accessible, right? Support people that got the letters could just give users the link to the page with the data.

It seems to me that could easily create a privacy issue of its own. Certainly just a link would be terribly insecure, you'd need to authenticate the user. And whatever you do, you've now created a web-facing portal to the private data you're supposed to protect. Seems risky to me.

My company (Aptible) makes a product called Gridiron that does this. All of the data that a requester is entitled to can be pre-structured and organized in a source of truth. That's what Gridiron is.

The first answer is long, the other ones should be quick as you already have done the work; and can be automated.

The answer is going to be automation. You don't hire a person to physically handle each of those 1000 requests, just like you don't have someone typing in each employee's pay stub and calculating their tax withholdings.