Yes since GDPR states that personal data is any piece of information that uniquely identifies a living person, creating a unique identifier for each visitor by definition will make you a data processor.
But a unique identifier doesn't necessarily identify a living person, particularly in isolation. It's just that it's frequently associated with a load of additional information that could eventually be used to identify someone (think advertising cookies when associated with a load of browsing data). So you can't escape from scope by saying you're using a unique ID rather than a name.
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).
Suppose the government wants to know what a particular user was reading on your site. They can calculate the hashed ID for that user and then serve a warrant requesting the data for that ID.
You can, but you need to explicitly state in your data policy that this is what the data is used for and you can never use this data for any other purpose.
IANAL:
If you were allowed to use GDPR under an exemption, perhaps abuse protection, is that the only purpose the data will be used for by yourself and GA?
If you or a data processor you use, uses the data for secondary purposes not covered by any exemption to opt-in consent, I believe you would have to get opt-in consent for those secondary purposes beforehand.
Note: the cookie law is the ePrivacy directive (and national interpretations like PECR) and it goes beyond GDPR in some ways, as the ICO states "Although cookies that process personal data give rise to greater privacy and security risks than those that process anonymous data, PECR apply to all cookies." ( https://ico.org.uk/for-organisations/guide-to-pecr/cookies-a... )
IP addresses are slightly different because that address can be used to identify the subscriber in certain cases (who in turn may or may not be an individual).