[erichocean]

Let me put it this way: if I found out this guy was using my IP address and machine config to do analytics and perform "security" checks, I'd report him to my regulator. Dead serious.

"Analytics" is not what his company is for, ergo, using my Personal Data to do analytics isn't okay. He sure as hell isn't doing it for my benefit. I'm also not hiring him for security, so the same reasoning applies: he doesn't get to store my IP address in his logs without asking.

And when I say "no" to his opt-in modal, he'll still have to provide me non-degraded service. The fact that he can do so is yet another indicator that the data collection is not a legitimate interest.

[DanBC]

The security of their network is a legitimate interest. The regulator would see that alone as sufficient reason to gather data, especially if that data is mostly discarded 7 days later.

[erichocean]

No. They could start looking at IPs once they actually had a security problem, but there's no way in hell they "need" to write my IP address hither and yon to protect their network.

Look, you can definitely discover and monitor for problems by simply hashing IPs and storing the hash instead. Once you've detected a potential problem (say, a lot of requests from the same hash), only then do you have a "legitimate business need" to record the actual IP addresses and do some short-term analysis of the situation.

The spirit of the law is simple: if you don't absolutely need to store personal data, DON'T. Just don't. Store something else. Or just drop the data into /dev/null. Saying that you'll delete soon the personal-data-you-don't-need isn't sufficient.

And really, if this is the way GDPR compliance is going to go, "muh security" is quickly going to gain the reputation as the bullshit reason shady people trot out who want to disobey the law. People who actually care about security should push back on that strongly.