If IPs in raw access logs were to be exempt then the right of access and portability I assume would not apply
If you think about certain countries with data retention laws, you might are not allowed to delete data for a certain time-span. Every country can overrule parts of GDPR (mostly tax related)
You're correct, that the Stattools offered via cPanel are accessing the logfiles. There is no other source. That makes is easier than using e.g. Google Analytics but IPs are stored. In e.g. Germany there are websites, which log 127.0.0.1 for every webaccess.
This is stated in the data-protection information on these website. Some use thirdparty tools to tweak the storage behavior
github.com/webfactory/mod_log_ipmask
Many wordpress plugins with analytics or security functionality are offering tools to delete or change IP addresses in logfiles since years. Nothing new beside you now have a generic label "GDPR" to make it more easy to find such functions.
Eg. Deleting and shorting IP:
blog.nintechnet.com/ninjafirewall-general-data-protection-regulation-compliance/
E.g Hashing IP:
wp-statistics.com/2017/05/26/settings-page/
The core of wordpress seems to get GDPR functionality as well.
Proposed roadmap: Tools for GDPR compliance
GDPR is not forbidding saving all this stuff. There are reasons to save IPs for longer times.
I would like to see a way, to setup data retention time span and format of logging for every website via cPanel. Just a small step, when you think about all the logs and datastreams. The website seems to be a bigger part with all the external scripts (e.g. Google Analytics is known, but you have the same IP issue with Google Fonts and Google Maps.).