Before the GDPR was introduced we had a long discussion where we dissected all the ways the GDPR might apply to Discourse. In addition to @Stephen’s and @RGJ’s dissection of the issue (with which I would generally agree), I would recommend that as a first point of call. The Right to be Forgotten is discussed there at some length:
There’s also a legal tools plugin to assist with GDPR compliance which you’re welcome to use and help in the development of if you feel more needs to be done: