The coverage of GDPR I've seen (and in my view, the regulation itself) has been pretty clear that data becomes covered "personal data" only to the extent that the data, in aggregate, can be used to identify a real person.<p>So an IP address <i>on its own</i> is almost never personal data, because of wifi, NAT, dynamic IPs, shared devices, etc. Then again, a <i>name</i> is almost never personal data on its own either, "John Smith" could refer to any one hundreds of thousands or people or it could be a pseudonym and refer to literally billions of people.<p>But if someone registers on your site, and you log the IP address <i>and</i> their name, you're a lot closer to persona data. Add a timestamp, and you probably can identify a real person.<p>So if you're trying to be careful about GDPR, you should probably be careful about storing IP addresses (or IP addresses that can be linked to other bits of potentially personal data). The focus of GDPR compliance can't be on "oh this field is fine, but this field is personal data", it should be on what you're collecting in aggregate. That makes IP addresses dangerous, because they provide a lot of information that could be used to identify someone.