TL;DR: yes it's personal data, yes you can store the identifier in the device, yes the data should eventually be deleted, but no, this doesn't have to complicate how your device works.
Personal data is any information that relates to an identifiable person. The GDPR has an extremely broad view of identification: it recognized both direct and indirect identification with additional data, and also if you need the help from third parties. Even just singling out the data relating to one person counts as identification, so that even “anonymous” identifiers (such as cookie IDs) are typically personal data.
In your case, the technical identifier is very likely to be personal data: it clearly relates to an identifiable subscriber.
This does not prevent you from storing or otherwise processing the personal data. You just need to do so in a GDPR compliant manner. In particular, this means:
- having a clear purpose of processing
- having a legal basis that authorizes this processing activity
- only processing the personal data as necessary for the purpose
- implementing appropriate technical and organizational measures to ensure the security and compliance of processing
- providing transparent information about the processing to the data subjects
- preparing to satisfy data subject requests (e.g. access, erasure, and so on)
An Art 6(1) GDPR legal basis is necessary to authorize the processing of personal data. This could be:
- the processing is necessary to fulfil a contract with the data subject
- the processing is necessary to fulfil a legal obligation
- the processing is necessary for a legitimate interest (requires conducting a balancing test and usually requires offering an opt-out)
- the data subject has given consent
An ISP might rely on any of these legal bases depending on context. For example, diagnosing connectivity problems might be necessary to fulfil the contract. Or the subscriber has consented to pre-emptive network monitoring. The ISP might have a legitimate interest in keeping logs for a reasonable duration in case there are recurring problems.
Only processing the data as necessary also means that it should be deleted when it is no longer necessary. The GDPR does not prescribe fixed retention periods. Instead, how long data can be kept depends on the purpose for which it is being kept.
Technical and organizational measures might include the device capability and corresponding training for service personnel to factory-reset a measurement device when it is uninstalled from a subscriber.
It seems that you are not the ISP. For GDPR aspects, the data controller is responsible for compliance. Controller is whoever determines purposes and means of processing, i.e. who decides why and how personal data is being processed. If you just design a device for another company but do not control how it is operated, it is quite possible that you're not a data controller. This greatly simplifies your obligations to general product liability questions. You'll likely want to develop a product that can be used in a GDPR-compliant manner, but you have no influence over many aspects of GDPR compliance such as selecting an appropriate legal basis.