[scaryclam]

This isn't an issue I've come across. I've always put customer IDs in logging data, which is fine according to GDPR. Names, or other PII for that matter, shouldn't be in there, period. Stack traces are actually fine, just make sure you rotate your logs. Error and debugging logs are covered in the GDPR.

Third parties lying to you wont get you in trouble, it'll get them in trouble with the GDPR enforcers, so it's not worth doing that sort of "what if" exercise.

I've worked for organisations of many sizes. Basic data sanitation (aka, don't be daft) is enough. Give the GDPR a read, it's clear enough for almost all cases and isn't nearly as bad as some folks here on HN would have you believe.

[kasey_junk]

Customer ids may or may not be ok. You will get different guidance on that. For instance cookie ids are personal data.

[shados]

Third parties won't get you in trouble as long as you have a DPA, but you need to get it.

Customer IDs are fine as long as they can't be associated with other information anywhere else, but if they can, it's an issue.

Sanitation is easy but someone, somewhere will screw it up when you're not looking.