Also at least in the EU you're legally mandated to keep transaction history along with customer information for some number of years iirc. Don't know how that combines with gdpr.
Actually the GDPR is very clear about this.[0] Instead of setting an arbitrary limit, it says it should be the shortest period necessary in the context of other laws and requirements. So if you need to keep the records for 5 years for tax reasons, you should delete them after 5 years.
Yes, and one of the cost of the implementation was actually the justification of keeping data, and segregating said data. We had some data we could keep 10 years, some (most) only two, some had to be deleted once the client left.
[0] https://ec.europa.eu/info/law/law-topic/data-protection/refo...