My experience was the months I spent with a very competent (and no doubt expensive) French law firm to help my employer implement GDPR compliance. None of that is public info that I can link to, however.
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.
There's a known side effect of highly paid legal work... it will produce lots of results. But was it all required or just-in-case-CYA? Is one highly paid lawyer more correct than a sample of European institutions? Maybe...
I’ll edit to add that the user must be notified that you are collecting and processing personal data, which includes IP address. And the hard part is that you must also have internal paper trails that prove that you have written that notification in full knowledge of all the data processing done on your behalf by all your service providers. Is a data center owner routing traffic to your server? You need paperwork in which they commit not to store the IP addresses of your visitors, for example. That is not public-facing but must be available to regulators upon their request.
That’s the hard part of compliance and what most people skip. They click OK on the standard agreements with service providers and put up a standard privacy template. That is not actually compliant but folks are essentially betting that they are small enough that data regulators won’t ever come call them on it.