I think it is nice that the GDPR forces companies to not keep too much data about people. And you can only have data that you need for the stated purpose (of course this leaves loopholes but it is good data hygiene to always consider).

For example, if you state you want to verify age, you only need the ID for a couple of seconds. So why didn't they think about the risk of a hack before? They could have done the age verification and then immediately deleted the document. The cynical take is af course they did think about it but would take the fine if it came to that...

Maybe it is good to make an example out of Discord? Don't keep stuff around if you don't need it should be common sense.