1. National legislations in several jurisdictions are beginning to align their data protection legislation with the GDPR anyway (some are even more demanding), and this is not a new problem anyway. A decade ago I had to review worldwide data protection legislation for a multinational, and we found there were around 30 different national requirements to fulfil. The idea that the GDPR is the first time you needed to take foreign data protection law seriously is a dangerous myth.
2. The GDPR doesn't define any data as "critical". It defines certain categories as sensitive, but these are essentially the same categories as were defined as sensitive under the EU Directive and thus under our UK DPA 1998. So no change there.
3. In which case you'll probably be awarded it. The maximum penalties are assigned where wilful negligence or intent to act unlawfully are in evidence.
4. The GDPR right of erasure is qualified by the data in question no longer being required for legitimate declared business purposes, so this is also a non-problem.
The best solution would be to take advice from people who actually know what they're talking about. Every Tom Dick and Harry has suddenly become an "expert" on the GDPR, and almost all of them are talking tosh, probably due to the five-day-and-pub-quiz Data Protection Officer crash courses. Would you employ a CFO who'd only taken a one week course in accounting?