I disagree with you in the burden that GDPR places on a company. If a company takes data protection seriously handling such a letter would be a matter of minutes because they already have the processes in place. The GDPR is almost two years old now and it's just an update of the DPR which has been in place since the mid-90s: nobody should be caught by surprise by now except companies that deliberately decided that making sure you're compliant with the law is something that should be ignored right until the cops are knocking at your door.