In GDPR you must not keep personal data for longer than you need it. You should also periodically review the data you hold, and erase or anonymise it when you no longer need it
Many store owners achieve this via manual database updates and file handling processes - which gives the flexibility to achieve exactly what the business needs. Anonymising data is always necessary in order to create testbeds with "real data".
Maybe you would support the development of a "plugin or component to achieve this need"
Users, Orders, Invoices should be considered as separate elements each with a retention period aligned to the business need
With the ability to anonymise specified fields. If anonymise is not possible (thinking of stored PDFS) then removal of the file.
Process would be manually invoked via admin - with relevant Access control to said functions - maybe separated by data type