GDPR means that if you handle personal data, then you need proper procedures and a valid reason for doing so. Customer consent is one valid reason, but not the only one.
- Do you have a technical or business reason to preserve records of every login, including the IP? If not, just don't do it. Data without a good purpose is just a headache for you.
- If you want to log every login (a bank might do so, I guess ...), decide what your reason is. Is it necessary to fulfill a contract? Then the contract is your reason. You have to document that and explain it in your legal boilerplate. But if you want to collect data for better targeted advertising, you probably need the consent of the data subject.
- If you have a valid reason, you also need to decide how long the data must be stored, and implement data access procedures, etc.
If you have customers, then you are a business, and you should hire an expert to advise you. You might be required to appoint a Data Protection Officer for your company, too.
