The GDPR is the new privacy laws in the EU. Basically it says:
They are offline as well as online. So it's not only about the data you got in the database but also you are not allowed to leave person-related information on the conference tables.
It' basically a hardcore regulation because the big companies proven again and again that they are not to be trusted. So the EU upped the stakes and made it pricey for companies to be reckless.
The main point of critique could be smaller companies and the overhead that is happening there.... does this help? or do you want the links to the laws?
oh and this goes for IPs as well since they are person related data -> so all your access logs now are not allowed to store them anymore.
one trick is asymetric salted hashes for IPs or data that you need to keep so you cannot reconstruct that data but you can say 'hey this user has been here already n times' (flood protections for example)