GDPR - no provision for controlling personal data of OUR customers

I am looking into our GDPR policy. We have lots of customer personal data stored on Cin 7. I want to set a company retention period if for example 3 years, so after 3 years personal data would be removed from the order. I have raised a ticket and the only way to do this is customer by customer using the Pseudonymise option! we are an ecommerce business we get some customers who only buy once, we have 109,394 customers logged on our system, we need a method of doing this on mass, by setting a rule where if a customer account has not been used in 3 years the customer personal details are psedudonymise.