The "best practice" you mention was already illegal if you have European users, the right to be forgotten was already a consequence of existing laws and directives (just ask Google).
As for startups the GDPR already takes company size into account, so unless their business is literally being a private NSA/Stasi/etc. they don't have much burocracy to deal with (https://ec.europa.eu/info/law/law-topic/data-protection/refo...)