Why IP address truncation fails at anonymization

I think this would be clearer with a couple of principles introduced at the start. (I am not a lawyer, not only is this post not legal advice, it also contains some oversimplifications that would make your compliance officer sad).

The first is that the GDPR makes you liable in cases of deanonymisation. This makes any form of anonymisation tricky, because you have to consider it in conjunction with other data sources, including ones that you don't currently have. The article hints at this in a few places (including some explicit judgements).

The second is the concept of linked vs linkable data. Linked data is data that is directly tied to your identity. Linkable data is data that can be tied to your identity if you combine it with other data sources. Often your problem here is to make data not linkable.

I'm nervous of the IPCrypt recommendation. It's after the bit that talks about data sharing, but if you keep the keys then you may also have problems with retention because you can use them to construct a rainbow table.

From a GDPR perspective it's interesting at the moment because IPv4 for many is behind a CGNAT so the IP does not really help you. On the other hand IPv6 for quite a few deployments will happily reveal a unique user for months which is in part why some ISPs have started rotating prefixes every few days. Because in practice IPv4 has become so hard to use for law enforcement processes, Austria for instance now mandates that you get an IPv6 always when you are behind a CGNAT on IPv4.