No, it's not that simple. Software often must change, privacy policies worth anything must be reviewed by someone qualified (which costs money), etc. No government regulation is without cost.
It is that simple, actually. You guys had TWO WHOLE YEARS to update your software. The problem is that everyone forgot about it until the last minute. That is a personal problem; not a problem with the GDPR itself.
I implemented the data importing and exporting in our MMORPG in <24 hours, added anonymization features when I was bored over the weekend, and implemented a rough version of the latest XenForo patches before they were released. All that took probably about like 6 hours of development time.
The hardest process was writing the privacy policy and actually educating all the staff about handling data correctly.
If you're genuinely having trouble getting those basic things implemented with two years (or more, honestly) of notice, you probably have a monstrously large company and can afford to actually hire people to do this.
Otherwise, sorry to be blunt, but you slacked off and are paying the price. The GDPR is genuinely a good set of laws and most people were just lazy and are now upset.
Federal Law No. 242-FZ
Service providers in Russia are required to retain your data for use by the government, hardly what I'd call data protection.
You literally cherry picked the amended addition added in 2014. The original law is more than a decade old and IS genuinely about data protection. Russia has had better data protection laws than most of the world up until recently. Feel free to read No. 152-FZ.
The point, though, is not that Russia is better than anyone else; don't worry, I'm well aware we have our problems too.
The point is we have had very strict laws that required you to carefully handle any sort of personal information (names, birthday, address, social status, education, profession, race, religious beliefs, political opinions, etc) and a lot of the data processing policies that companies implemented in Russia are pretty much directly translatable to the GDPR.
My point is that it hasn't been an issue for our companies to treat sensitive information that belongs to your fellow countrymen with the slightest amount of respect.
1. Don't store stuff you don't need
2. Let people know who all is involved in data processing
3. Let people know WHY you need that data
4. While you still have that data, be careful with it
5. When someone requests you delete their sensitive information, delete it if it isn't absolutely necessary (e.g., not ban information, not fraud information, etc)
6. When data becomes unnecessary, delete it