I was wondering about a catch 22 where someone misbehaves, then gets banned, cites GDPR and demands their data be deleted (they can do that right?) ....and signs up again later with the same data.... wash rinse repeat....
IANAL. I think you can't store raw email without user consent. It is personal data one wants to be forgotten. However you can keep pseudonymised data [0] [1]. E.g. just keep MD5/SHA hash of the email string.
Your right to be forgotten is not absolute, but instead balanced against the business's interests: you can process personal data without consent when you have a legitimate interest in doing so. Recital 47 of the GDPR states: "the processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned". Storing a hash is likely a better practice for mitigating the damage of a data breach, though you have to process the raw email to get and compare hashes either way.
Hopefully that means you could keep some data like an email address that is key to creating an account to prevent abuses or duplication or other things.
