> How are you supposed to handle abuse or performance issues a visitor might have?
There is such a thing as "legitimate interests" in the GDPR. Storing certain IPs specifically as a measure against spammers and botnets should be fine, as long as that's really all you do with the data.
> Or perform analytics?
This is the heart of why the GDPR exists. You are not allowed to collect and analyse personal data about your users without a legitimate reason or their consent (a legitimate reason is not "it pays our bills"). Either ask the user for permission or only store aggregated data.
Most companies just store a ton of data about users without having any clue what to with it, "just in case". If you collect data for specific purposes, you don't need it to necessarily include any personal info ("how many users clicked the red button instead of the blue one" doesn't require any PII, for example).
There is such a thing as "legitimate interests" in the GDPR. Storing certain IPs specifically as a measure against spammers and botnets should be fine, as long as that's really all you do with the data.
> Or perform analytics?
This is the heart of why the GDPR exists. You are not allowed to collect and analyse personal data about your users without a legitimate reason or their consent (a legitimate reason is not "it pays our bills"). Either ask the user for permission or only store aggregated data.
Most companies just store a ton of data about users without having any clue what to with it, "just in case". If you collect data for specific purposes, you don't need it to necessarily include any personal info ("how many users clicked the red button instead of the blue one" doesn't require any PII, for example).