Redmine

At first: none of the people here (including me) here are lawyers, and especially not YOUR lawyers. Thus, none us us here can give you any binding legal advice about how to handle personal data. Your situation may be special and you may have more restrictive requirements than others. If you have questions here about what you can or have to do, you should ask a specialized layer.

With that being said, within the context of an issue tracking system, the connection between issues and users can often be processed under the "legitimate interest" clause, as the the user details and its connection to issues are required for the service (i.e. the issue tracking) to be performed. Here, it is often sufficient to only delete / anonymize data when a user specifically asks for it.

As for anonymizing any "older" data: that doesn't sounds like it would actually solve much as then, the old stored data may become rather useless in its entirety if it is entirely anonymous. Thus, it may be a better solution to just fully delete old issues if you need to remove that data. You could use the "Updated" issue filter to find issues which were not updated for say 6 months to then bulk-delete them.

Other data (such as authorships of wiki pages or forum posts) can not be deleted that way though. Here, the only solution is to actually remove the user which will update all authorships of all objects of this user to refer to the anonymous user instead.