[PuffinBlue]

Which is to say you don't have to care much at all, seeing as you do NOT need to inform or obtain consent from users to keep web logs that serve a 'legitimate interest' such as fraud, security or spam prevention.

Obviously if you were in the business of leaving such data insecure for anyone to obtain or merrily selling it on to reap as much dollar from your visitors as possible then you may be in for a bad time.

Otherwise it's just best practice to do what GDPR says anyway in the example you provide.

[fixermark]

From the top of https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

""" “Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. """

It's going to be up to individual companies and orgs how much risk they want to absorb trying to sort this dimension themselves rather than hiring a professional; I suspect we agree on that. But I suspect quite a few companies will want to soak the cost of having a professional review this stuff rather than trust their own common sense (especially if their common sense is not European-originated but they plan to have European users).

[krageon]

It is not risk. If your relevant regulatory body decides that your reasons are not legitimate (and if you definitely are using them to prevent service degradation and don't keep them around forever, I don't see why they would) then they will tell you so you can alter it.

[fixermark]

Companies hate building business models and practices around "Well, if the regulator's cool with it, then..." That's the very sound risk makes.