Personal data has a very wide definition under GDPR:
>‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
An IP address, or an email address is personal data. Even a pseudonym or a session ID is personal data. Yes, having a log for security purposes (GDPR recital 49) captures personal data (even just access dates and requested URLs may be considered to be personal data). Yes, a comment section on a blog may capture personal data.
Once again, I'm fine with all of this. But ignoring GDPR by not capturing personal data is more complex that it might seem.
