GDPR doesn't get that specific, but the judges in the courts do.
In Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16, it was ruled that internet protocol addresses relating to visitors' use of websites constitutes "protected data" according to European Union laws.
My reading of that, and online commentary that I've found, seem to indicate that the IP address is not personal data across the board, but rather only in a specific context. I'm a little over my head in whether that specific context is "basically all the time" or not. It sounds like it only applies when you have the legal right to make the ISP give you subscriber info related to an IP address?
From that document and other reading, I think it's also when combination of information results in being able to identify a person. For example, dynamic IP address + timestamp is not enough for anybody but the ISP. But add in other information, for example HTTP headers, it might be unique enough.
Also, what they're saying is some things trump privacy. Legal requirements to keep logs. Legitimate interest, e.g. billing. Defending against cyber attacks. Using that information for other purposes is still a no-no.
TL;DR: IP address + other info often becomes PII, and there are some exceptional cases where it's legitimate to store PII despite privacy concerns.
In Breyer v. Bundesrepublik Deutschland, E.C.J., No. C-582/14, 10/19/16, it was ruled that internet protocol addresses relating to visitors' use of websites constitutes "protected data" according to European Union laws.