GDPR is a bit extreme. This isn't an observation on the goodness of it, simply that it requires extreme measures (relative to the status quo) for compliance.
If it's extreme it's because the status quo swung so far away from anything reasonable in terms of what people can expect.
What can be kept for legitimate business interests, security, etc. is quite extensive. Really the key is being transparent about it and making sure that people have the ability to know what is being kept and why.
as per GDPR 6(1) grounds for processing can be (b) performance of contract, (c) compliance with legal obligations (d) vital interests of data subject - which can all cover logging ip addresses and user agents for network security reasons (for a short amount of time) to protect the user, which log files are often used for. (IANAL)
yup. lots and LOTS of misunderstanding about GDPR out there. there are plenty of “escapes” for stuff like this. you just have to be mindful, and do things deliberately, which is a good thing. bigger companies will want formal review processes as CYA.
What can be kept for legitimate business interests, security, etc. is quite extensive. Really the key is being transparent about it and making sure that people have the ability to know what is being kept and why.