GDPR compliance

We have had a conversation with our lawyers, and they have a couple of concerns regarding the use of Acounting in the EU due to non-compliance with GDPR. This actually makes it illegal to use in the EU.
They have especially expressed concerns about the handling of users regarding the deletion process since we are not able to delete users who have received invoices, nor can we deactivate them.

It should be possible to deactivate a user, so that when a user is deactivated their personal information can stay on previous invoices and similar. All invoices/bills/etc they have previously received must remain in the system. They must however no longer receive any more recurring invoices/bills/etc from the system. Furthermore, they should not appear as options when creating new recurring things.
Furthermore, when a user is deleted, their personal information can no longer be in the system. This means that all invoices/bills/etc they have previously received must remain in the system, but all the personal information on these must be anonymized so it would be impossible to trace the invoices/bills/etc back to the user who received them.

How do you, other Acounting users, deal with GDPR? And is there anything else regarding GDPR that we are not aware of?