There should be no debate that the items I mentioned are allowed under the GDPR because one or more of the lawful bases for processing applies. My point is that on many sites you're still going to be collecting and processing personal data for many legitimate reasons and therefore you still need to have all the policies and provisions in place for that data to be compliant with the data protection regulations. "Just don't collect the data in the first place" is mostly not a very useful argument for how easy it is to comply with the GDPR.
On numerous occasions in GDPR-related discussions I have seen people seriously questioning whether you can keep a basic server log with IP addresses in it of the kind that every web server has generated by default for decades. Often there are suggestions that such logs must be automatically deleted after a short period or the IP addresses masked in order to be compliant. And yet having records of which addresses were doing what on your site can be useful information for security and fraud prevention purposes months or even years after the records were originally created. So who is right? GDPR doesn't actually say and as far as I'm aware neither have any of the relevant data protection authorities yet so if you're running a site with these security concerns but also making an honest attempt to be compliant then you literally have no way to know how far you're allowed to go without crossing a line and upsetting a regulator.
That's just one everyday example that would probably apply to millions of different websites and that has been discussed many times but still with no clear answer. There are many more areas of ambiguity that even a well-intentioned organisation can easily run into. Backups and archives. Soft deletes when a user asks to delete something but you know for a fact that many users subsequently contact your support staff saying they've made a mistake and asking to restore the data. It's a long list with few clear answers.
On numerous occasions in GDPR-related discussions I have seen people seriously questioning whether you can keep a basic server log with IP addresses in it of the kind that every web server has generated by default for decades. Often there are suggestions that such logs must be automatically deleted after a short period or the IP addresses masked in order to be compliant. And yet having records of which addresses were doing what on your site can be useful information for security and fraud prevention purposes months or even years after the records were originally created. So who is right? GDPR doesn't actually say and as far as I'm aware neither have any of the relevant data protection authorities yet so if you're running a site with these security concerns but also making an honest attempt to be compliant then you literally have no way to know how far you're allowed to go without crossing a line and upsetting a regulator.
That's just one everyday example that would probably apply to millions of different websites and that has been discussed many times but still with no clear answer. There are many more areas of ambiguity that even a well-intentioned organisation can easily run into. Backups and archives. Soft deletes when a user asks to delete something but you know for a fact that many users subsequently contact your support staff saying they've made a mistake and asking to restore the data. It's a long list with few clear answers.