If you can't easily delete or export my data, it means that you don't have a coherent, legible record of exactly how my data is being processed. You can't be sure if my data has been leaked or stolen. You can't guarantee that you'll be able to notify me in the event of a breach. You can't prove that my data was lawfully collected. I can't check the data you hold on me to ensure that it is accurate.

The GDPR is easy to comply with if your data protection policies and processes were decent to begin with. If you have read the text of the GDPR and can't see how you could bring your business into compliance, then you are almost certainly doing something seriously negligent or seriously shady.

> ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

So not a database query itself, but the thing that drives the database query. It also extends to things like logs - aka don't keep a log full of SQL queries that are full of peoples personal information. Don't ship that log off to some third party, or make it available to random people.

For web apps it's mostly the storage and retrieval aspects that are important. Don't store too much PII. Don't allow anybody to access it at the DB level. Implement appropriate access restrictions at the web-app level.