Ok, I will take a stab here to see how you ended up doing it in one evening.

- What did you do about logs? Things like request logs will at least contain ip address which is PII. Now logs can be cleared after a fix interval but the time for honoring the data delete request is a month I guess. If you want to keep logs for a period more than that, what do you do? If you anonymize IP , it makes other analysis on top of those logs useless.

- What did you do about data backups? - What did you do about external error reporting services? - What did you do about analytics services?

The only reason we log IP addresses is for security purposes (e.g. to block IPs that hammer the service, for forensic investigations, fraud prevention) - in GDPR terms, that is a "legitimate interest".

Regarding backups, realistically you are not going to have to delete data from them, as it's completely impractical to delete only data for a particular user from archive. If a user requests their data to be deleted, delete it from the live site and be open with them that some data will remain in archive - securely encrypted and untouched - for your defined retention period.

Regarding analytics, we use Google Analytics, which uses IP addresses to guess location, but doesn't make them available in the admin site - so GA doesn't actually give us any PII. As such, we simply reworded the privacy policy to be more easily readable, so it's completely clear what data we collect and why. The forthcoming Privacy and Electronic Communications Regulation (aka ePrivacy Regulation) should provide some clarity if anything else is required, but it seems likely that simply having cookies enabled in your browser will count as consent.