there's a whole two hundred post debate around here whether ip are or aren't pii on their own, with the wast majority holding the wrong position.
there's a whole branch of gdpr that people aren't considering, which is not related to software but to your business (i.e. your mail calendar). you also need a privacy policy if you are receiving phone calls. did you know that?
there's a whole bunch of implication on how liable you are about holding unwanted personal information, including unwanted medical personal information i.e. "hi I saw your gazebo renting service, I'm organizing an event but I am unable to walk due a permanent disability and requiring a ramp is present to access your gazebo, is that so?"
there is a huge surface area for uncertainty, up and including 'best practices' that are a constantly shifting target.
edit: to clarify the calendar part: if you have a meeting with someone, that links an identity with a location. that's why it's an issue, even without considering the address book, which is another issue by itself.
THe problem is that it's a stupid question. No-one has just IP addresses, they have a mix of data. If you can combine the IP address with anything else to identify a natural person it becomes personal data.
Ip are personal data https://ec.europa.eu/info/law/law-topic/data-protection/refo...
Without conditions. Even hashing them doesn’t make them ‘irreversibly anonimized’ because the ip space is too small for hashing to be irreversible. A rainbow table can be built with all ips and use to deanonimize the ip.
> The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.
That raises an amusing question. Suppose you have a one person business with a small number of customers (a few dozen or so) that you deal with in person. With proper mnemonic techniques it would be possible to do all the storage and processing of their personal data in your head.
Does GDPR apply?
The only thing I see in the quoted paragraph that might suggest it does not is "provided the data is organised in accordance with pre-defined criteria (for example alphabetical order)". Do brains use pre-defined criteria to organize data?
This too raises an interesting question:
> Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
If data is used to train a neural net and then discarded, but you keep the trained neural net, in some sense the data is still there in the weights of the connections in the neural net. Has it been sufficiently rendered anonymous to no longer be considered personal data?
On the other hand, as parent noticed, hashing IPs is not effective as it's possible to reverse it (the IP space is small).
What if you are using IPv6?