Purchase Orders you shouldn't need to delete since its a financial transaction record and doesn't fall under GDPR (Please consult a GDPR expert).
In terms of Commerce tables, take a look at Contact, Address, Organization and and go from there. More here: https://world.episerver.com/documentation/developer-guides/commerce/customers/Customer-object-model-and-database-diagrams/
Also check what your membership setup is. May not be a problem if you've replaced it with an external provider.
Does anyone know of / have a script to redact personal customer information from the commerce database?
We have a need on occassion to pull down a backup of the production database and looking for a way to easily redact customer personal information so we are compliant with GDPR.
Before I make a start with a script was hopinh someone might already have a starting point.
Thanks