[madez]

> No real names, no user names, no IP addresses.

Well, don't record IP addresses in the first place? Or if you need ip addresses for protection against technical attacks like DDOS-attacks, then delete them as soon as possible.

What is so difficult about deleting a real name and a user name stored by you if the owner of that account asks you to?

> I haven't looked in to this example, but I suspect even the name of a client on a bill would be subject to the GDPR.

Common sense gives that data on documents you are legally required to store like for example invoices are exempted from deletion during the legal storage duration. After that, why not anonimize them or delete completely?

Things become pretty easy if the default becomes not storing any data, and only make exemptions from it after careful consideration if it's really needed, what private data it contains and how it has to be handled based on that.

Data is not just a resource, it is also a liability.