But more generally, GDPR has multiple legal bases for processing other than consent, and for any other than consent the processor might still be able to process data despite the right to be forgotten. And IME big company data processors tend to interpret these exceptions quite liberally, hoping people won't have the means to challenge their decision.
The definitions for all these exemptions are EXTREMELY narrow and court cases have demonstrated this repeatedly. If you have a legitimate interest to verify someone's ID to establish identity that does not mean you are allowed to do the ID verification yourself (rather than relying on a third party) nor that you're allowed to use a service outside the EU (e.g. Israel) nor that you (nor they) are allowed to store that ID any longer than necessary to process it exactly once.
The GDPR dictates data minimization. If your business model is incompatible with that and it's not because of regulatory requirements, I'm sorry but we have a word for that and it's "criminal enterprise".
