GDPR does not specify retention periods for personal data. Instead, it states that personal data may only be kept in a form that permits identification of the individual for no longer than is necessary for the purposes for which it was processed.
In other words, if you do not need your clients data, you can best delete it. In practice a lot of companies have therefore set a retention period for keeping data of 3 years.
With GDPR: Search & Destroy you can delete all data that is older then x amount of time. In this example we set up a task that the time frame is 3 years. Create the query created<3years and choose the action Delete ticket & delete requester. When this trigger is applied, all tickets created older than 3 years will be deleted. It will also delete the ticket requester if the ticket requester has not created a new ticket in the last 3 years. If the Ticket requester did create new tickets, the ticket requester will not be deleted.