We're a two-person startup and we've already received "the nightmare letter" (literally copied and pasted) from a few users: https://www.linkedin.com/pulse/nightmare-letter-subject-access-request-under-gdpr-karbaliotis/
It's one thing to send this type of nastygram to Google or Facebook, but sending this to someone you know is a tiny outfit is like a Denial of Service attack. We spent significant time making the systems and policies GDPR compliant, we store minimal PII (first/last/email and Google Analytics), but how do you even start to respond to this thing...