For logs, I'll suggest you aim to avoid personal data in the logs, and if necessary only log an anonymous id and separately keep a mapping to a user for the bare minimum amount of time needed, and in a way that let you explicitly delete it easily.
A lot of the "problems" of the GDPR goes away if you minimize the amount of personal data you process and retain, which incidentally generally will be good for your security as well.
A lot of the problems of the GDPR do indeed go away if you're building your systems from scratch, using data privacy standards significantly beyond what GDPR mandates.
Surely you see why this doesn't weaken the claim that it's hard for existing companies to understand what must be done to comply.
No, I don't, because the point is that my applying principles that are good to follow anyway, you reduce your exposure to a point where you don't really need to worry about what needs to be done to comply. At the same time you're improving security etc. as well (including internal security; e.g. I've deployed approaches like that at clients whose original intent was to prevent employees from accessing data they shouldn't, and where simplifying following data protection regulation was simply gravy)
A lot of the "problems" of the GDPR goes away if you minimize the amount of personal data you process and retain, which incidentally generally will be good for your security as well.