Thanks... another thing I wonder is if this has implications in electronic crime detection. If the data can be irretrievable soon after a deletion request has been made doesn’t that make crimes harder to investigate after the fact? I haven’t done any real research on this so maybe it’s been addressed in the law.
Most people seem to agree that under GDPR, IP addresses count as personal information and you either need to get rid of IP addresses, or encrypt the data at rest and respond to deletion/retrieval requests. What makes you sure that this is not the case?
Most people, especially non EU folk, seem to be misinformed.
You don't have to purge your system of all PII upon request. An IP address is only considered PII if it can be used with other data to identify a person. If you delete the user's account, you can keep your server logs with IP addresses as long as you have a compelling business reason.
That reason is "security and monitoring".
Really most of the GDPR is just best practices codified. You are only really in trouble if you are using customer data for purposes that you A) haven't received their consent for and B) aren't what the customer would expect given what they are using your service for.