Maybe, but unless someone can produce legislation that demonstrates IPs are personal information it’s a moot point what Paddle are doing. I would imagine they are doing this because they are not just processing IP’s but other data that make IPs personal information in their context.
GDPR is about what I’m processing. Not about what others process. If companies take non personal information from three different websites and put it together to make personal information then they are processing personal information, not the three websites they obtained the data from. ICO will not hold me accountable for the data someone else is processing.
The problem is we’re not talking about legislation when it comes to IPs being personal information as none such exists. We’re talking about conjecture.
I totally agree, and think the best starting point is to look at what data you collect and ask yourself if you can identify an individual with this information. If yes, follow GDPR, if no, you need do nothing.
I don’t think it is. In fact I think the UK ICO have been exceptionally helpful with their website and their advice on the phone. GDPR is really not that complex. It’s looking to enforce people’s rights to their data. We found the key to be understanding that it’s only to do with information that identifies an individual and then you respect the rights they have under GDPR. The six legal basis for processing also make it easy to work out where things fit.