GDPR is a bit misunderstood by a lot of people. The main jist as above is don’t do things with peoples data that they haven’t asked you to do and keep it safe.
Arguably you could be keeping it safe by deleteing it but surely you need a record for auditing purposes. If you log onto amazon or ebay etc they don’t remove everything you bought every 30 days. I can still check what i bought in 2015 if i want. I’m unfamiliar with woocommerce but by the sounds of it it would be reasonable to assume that it is built for sales and therefore as long as you don’t do anything odd it should be safe. If you get hacked due to an error in their software it is their fault not yours as they provided the platform for you to use for that purpose. If you added a random module that caused the problem then that’s your fault.
You don’t need a cookie bar if you aren’t using tracking that personally identifies the user. If its GA then have a look at the docs as it’s pretty easy to turn off marketing and anonymise the IP.
The main thing i would stress to them is to manage who controls the data. If they had a data breach the ICO would ask things like how did it happen, who was in charge of the data, who had access to the data. This doesn’t have to be on the website. If an assistant downloads orders to an excel spreadsheet and then emails it to the boss without a password on the spreadsheet and it gets accidentally emailed to the wrong person (it happens!) or an email account gets hacked then that is the companies fault as that is a process they have allowed to happen.
Additionally knowing how has the password to log in is important. If a member of staff gets sacked or leaves. Remove their account or change the password immediately.