I'm not sure a lawyer would agree with your assessment of the Apache logs. If they aren't actively being used to maintain site health, the mere collection of private IPs is enough to make them unnecessary private information.
And that's the default for collection of Apache logs.
You would be 100% in the clear on that as long as you apply a reasonable retention policy to your logs. Keeping them forever isn't reasonable. Keeping them for a year almost certainly is.
You would be 99% in the clear if you do nothing. The worst that's likely to happen is that you're forced to adopt a retention policy and delete old logs, and even that is extremely unlikely unless you are Google/Facebook scale or are doing something significantly worse than industry standards.
I guess it varies depending on the lawyer, mine agrees with my interpretation.
Law depending on the opinion of lawyers is “useful”.
If anyone wants to attempt to prosecute me for storing Apache logs then I’m happy to defend it in court. GDPR isn’t the boogeyman unless you’re selling data. I’m quite certain there are sympathetic judges to that end. Logs are necessary and even in some cases legally mandatory.
With a 20 million euro minimum fine on the table, I don't think I'll feel comfortable on this topic until either the law is clarified or someone sets precedent.
My lawyer's great, but he won't be paying the fine if he's wrong.
$20 million isn't the minimum fine. That's the maximum fine for companies with under $500 million in annual turnover.
You aren't going to get the maximum fine unless you are doing something egregious. Collecting the default Apache logs and not using them for anything malicious isn't going to get you the maximum fine or likely any fine at all.
And that's the default for collection of Apache logs.