[cbeach]

Certainly one aspect of GDPR is about how you share data with third-parties. But self-hosted analytics are still subject to GDPR and/or ePrivacy restrictions if you process full (unredacted) IP addresses, any user-identifying tokens, or anything else deemed as PII (Personally Identifiable Information) for purposes such as analytics without seeking user consent.

[XCSme]

That's true, but the "analytics" purpose is ambiguous. It could be for security most servers already have access logs by default, that stores IP addresses anyway, and it's often used for DDOS protection for example or fail2ban login attempts.

[cbeach]

The ambiguity of this legislation is one of the biggest problems with it.

This ambiguity leads to companies implementing cookie warning popups based on a risk-averse interpretation of the law