Re: Logging
"So we have decided, with lawyers, that we have a lawfull purpose to keep the logs for 24 months."
...
"The retention period we're going for is... don't laugh... 6 years."
The retention period itself isn't the main factor. It's what you're doing with the logs in that time that really matters, and how you enforce that pattern of use.
Let's say we've got two companies. Company 1 decides to follow this draft and hold the logs for three days. But they do nothing to secure them and actively provide the information to their data analysis and marketing teams to be exploited to hell for that three days before deletion.
Company 2 decides to hold the logs for a probably ludicrous 10 years, but writes them to archival WORM storage, protected by several layers of technical and organisational process that is only used to specifically respond to suspected breaches.
Company 2 is almost certainly GDPR compliant. Company 1 is definitely not.