That’s not totally true. GDPR only applies if the data is stored in an “filing system”. Things like logs almost certainly don’t fall under that. (Unless you where feeding them into a data mining system, that would change things)
Believe whatever you want but (1) our lawyers disagree; (2) if you can query your logs, you have to (PS: you can; that's literally the point of things like sumologic); (3) the various privacy orgs that have published reasonable amounts of guidance -- notably ICO and DPC -- disagree.
True, but hidden IDs like the row GUID of the user are not, are they? They should be considered more like pseudonymous data[1] as they're meaningless outside the dataset.
I think so, too. Certainly, they should be in scope for the “data protection” part, or (extreme example) you would be allowed to log personal data to a publicly visible server.
To be clear, when I say GDPR doesn’t apply. I’m taking about information requests (the topic of the linked article).
The data protection part of GDPR of course applies to all PII regardless of how it’s stored. But that part is not new in GDPR, the EU has had strong data protection laws for a while. (Even if people didn’t talk about it)
