Yes, but if you are logging the IP for spam prevention, security tracking, etc, then you are in the clear per Article 6, section 1, point f [1].
However, you can't also use the IP for fingerprinting, ad targeting, etc, without acquiring informed consent, per section 1, point a.
You can put the IP in your security logs because that is necessary to secure the service. Just have a routine to scrub the logs once they are too old to be useful anymore.
You can't put the IP in your shadow profile database and sell it to shady marketing companies, unless the user has explicitly agreed to that.
The question isn't only whether something is personal information or not, it is also a question of what you intend to do with the data.
Article 6 establishes lawful purposes for data processing that do not require consent from the data subject. All other provisions of the GDPR (including, but not limited to, the maximum time you are allowed to hold the data) apply, since it is still Personal Data. The only way to avoid having to deal with GDPR entirely is to collect absolutely no Personal Data, which is almost impossible unless your web server has no logs.
Not exactly; it's up to the judges to decide whether IP addresses count as personal information as defined by the GDPR (in my opinion they're not, but I can see why one would think differently), so the flaw isn't as much inherent to the GDPR as to the fact that people just don't understand the internet.
While the wording of the Recital leaves some ambiguity as to whether an IP is automatically Personal Data under the GDPR, its specific call-out would make arguing that it is not difficult. This would particularly be the interpretation of American lawyers, who tend to assume that no connection is too tenuous to be held against their client by a shrewd prosecutor or regulator and will thus advise their client to treat all IPs in all situations as Personal Data.
