[mrunkel]

Most people, especially non EU folk, seem to be misinformed.

You don't have to purge your system of all PII upon request. An IP address is only considered PII if it can be used with other data to identify a person. If you delete the user's account, you can keep your server logs with IP addresses as long as you have a compelling business reason.

That reason is "security and monitoring".

Really most of the GDPR is just best practices codified. You are only really in trouble if you are using customer data for purposes that you A) haven't received their consent for and B) aren't what the customer would expect given what they are using your service for.