But it's important to remember the GDPR doesn't give users a right to have all data deleted on request. Processors only have to delete data in certain situations.
For example, if you told the user why you collected the data, and you're still using it for that purpose, and you have a legitimate need to continue to do so then you don't need to delete the data. And there's an extra exemption for "exercising the right of freedom of expression and information".
This is probably gonna get you in much more trouble than you could have been initially. For example France has law telling ISP they have to collect and retain customer data and activities for a year to able to retroactively identify who did what online at what time, failing this is not a matter of a report that could lead to warning and then to a fine but years of jail time instead.
The GDPR specifically says you don't have to delete the data if you are legally required to keep it for other reasons. Most often this is financial data, but there are plenty of other examples.
