[jchw]

Most people seem to agree that under GDPR, IP addresses count as personal information and you either need to get rid of IP addresses, or encrypt the data at rest and respond to deletion/retrieval requests. What makes you sure that this is not the case?

[mrunkel]

Most people, especially non EU folk, seem to be misinformed.

You don't have to purge your system of all PII upon request. An IP address is only considered PII if it can be used with other data to identify a person. If you delete the user's account, you can keep your server logs with IP addresses as long as you have a compelling business reason.

That reason is "security and monitoring".

Really most of the GDPR is just best practices codified. You are only really in trouble if you are using customer data for purposes that you A) haven't received their consent for and B) aren't what the customer would expect given what they are using your service for.

[Geee]

It's explained quite clearly in https://gdpr-info.eu/art-17-gdpr/

"a. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;"

Because the data is still necessary, you don't have to delete it.

[tjoff]

You can't reasonable identify someone via an IP address alone without issuing a warrant to the ISP. GDPR is fine with storing such information.

If you are able to map the IP to a user then it becomes personally identifiable but the IP itself is not.

[DelightOne]

Probably common sense.