[MattConfluence]

Yes, but if you are logging the IP for spam prevention, security tracking, etc, then you are in the clear per Article 6, section 1, point f [1]. However, you can't also use the IP for fingerprinting, ad targeting, etc, without acquiring informed consent, per section 1, point a.

You can put the IP in your security logs because that is necessary to secure the service. Just have a routine to scrub the logs once they are too old to be useful anymore.

You can't put the IP in your shadow profile database and sell it to shady marketing companies, unless the user has explicitly agreed to that.

The question isn't only whether something is personal information or not, it is also a question of what you intend to do with the data.

[1] https://gdpr-info.eu/art-6-gdpr/

[vonmoltke]

Article 6 establishes lawful purposes for data processing that do not require consent from the data subject. All other provisions of the GDPR (including, but not limited to, the maximum time you are allowed to hold the data) apply, since it is still Personal Data. The only way to avoid having to deal with GDPR entirely is to collect absolutely no Personal Data, which is almost impossible unless your web server has no logs.