there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
Largely pointless. EU courts have in the past ruled that IPs are personal data because they can be tracked back to a person. End of story.
>there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar).
was largely already covered by the previous EU privacy law and the german privacy law. Courts largely agree that calendars for appointments are fine as long as you keep them reasonably secure and don't throw them around in public.
>you also need a privacy policy if you are receiving phone calls. did you know that?
Yes I did. I informed myself when I registered as a small business.
They are wrong. IPs are not personal data. End of story.
In the EU IP addresses are legally defined as personal data and have been for a long while now. End of story.