> > IPs are apparently PII

> It always pains me when people spout stuff about GDPR that they think they know but dont.

Are you trying to suggest end user IPs are not PII? There is judgement from CJEU (Patrick Breyer v Bundesrepublik Deutschland, ECLI:EU:C:2016:779) regarding the older Data Protection Directive that IP address is personal data if the service provider can give the IP address to competent authority and that authority has a way to connect it to user. As most (all?) EU countries mandate that ISPs keep logs that match IP address to subscriber and competent authority can get this information, the IP address is almost always PII.

Or is your auditor suggesting that GDPR is less strict than the older directive regarding this case? From my reading the only real difference was that GDPR added a bit more precision on what reasonable actions are ("such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments"). At least to me the example given in the court case would be reasonable when taking those in account.

You can, of course, have legitimate interest to collect it (like many other forms of PII as well), even for cases where the data subject cannot object to it. It doesn't change the fact that it's almost certainly PII.

It’s your job, and you’ve put more time into this than I will ever put into it. True. You (hopefully) understand the law better than me and the commenter you replied to. But you certainly haven’t convinced me to read the GDPR legislation cover to cover multiple times to decide whether and how I can comply! The EU can’t tell me what to do with my Discourse website. I put it online. They can block it for their residents if they don’t like it. That is not my responsibility.