Sure, but regardless of your data-retention period, you still have to know where to find everything derived from anything user-generated, if you want to accurately respond to requests. You're free to argue that the GDPR is making companies do things that they already ought to have been doing, but my point is that "just don't be one of those evil user-tracking companies" is not a viable compliance policy in itself.
If your data retention period is less than your response time (which has to be less than a month), can you not say "everything we had at the time of request is deleted" and be done with it?
A reminder that we're talking about passing visitors without accounts here, and for logging and analytics there shouldn't be a need to store anything longer than a couple days.
