I'd actually considered implementing a "soft delete" function for my service (knowledge management SaaS), out of fear that a user would accidentally delete something important.
Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."
If you purge soft-deleted records after (say) 2 months, and don't use those records for anything unless they are undeleted by the users request, I don't think that should cause any problems with GDPR.
Now with GDPR pending, I think I won't. I'll just leave my 'no sh*t delete' function in place. If I get a request to restore any data I can say, "Sorry, the Europeans made me burn your data when you unwittingly clicked the red 'delete' button (as well as the confirmation dialog you didn't read)."