An IP address is not regular PII, its 'linked PII'. It must be collected in conjunction with information that can identify a user to fall under GDPR, an ip on its own is worthless. If an IP address allows you to link information from HTTP logs with a user database that does have PII, then the ip address is part of the PII. If you aren't collecting any actual identifying information, then an ip is fine.
I hate the GDPR hysteria as anyone but you might be approaching this topic a bit too casual. The GDPR doesn't speak of "regular PII" or "linked PII".
Article 4.1 defines an identifiable natural person as one who can be identified, directly or indirectly, in particular by reference to for example an online identifier.
IP addresses are specifically mentioned as online identifiers in recital 30:
> Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags
Only time will tell how this will be interpreted specifically but we have at least one court decision already [1]:
> What makes a dynamic IP address personal data?
> The CJEU decided that a dynamic IP address will be personal data in the hands of a website operator if:
> there is another party (such as an ISP) that can link the dynamic IP address to the identity of an individual; and
> the website operator has a "legal means" of obtaining access to the information held by the ISP in order to identify the individual.
