Hard-delete isn't required by GDPR. The data itself just has to be made non-identifiable. You don't actually have to remove the database records, for instance.
There’s identifiable and sufficiently deidentified to meet the legal standard. Removing the userid meets the GDPR definition, but I bet you could reidentify based on patterns or fingerprints, if you really wanted to.