The GDPR does have provisions against this in place. Something along the lines of you first of all being allowed to take more time to respond, if the requests are complex and numerous, to ask for a small fee then as well and in extreme cases, you can also report such abuse to authorities.
And at the end of the day, you'll have to get sued for taking too long to respond, at which point a judge will investigate and can then tell that those requests were not legitimate.
Long answer: people actually tried to do it to Facebook, Google, etc. As a response, they each started offering self-service tools to download your data.
First you have to implement a download data function. I might be pessimistic, but with many sites requiring a login still on http and with the wonderous amount of bugs in web apps this may not be as easy as it sounds. But then: let them burn.
