EU GDPR Rules and Server Log Data

This article has been edited on 3rd June 2018.

So today is May 25th, 2018 and a new EU law came into effect today. They are designed to give EU citizens more protection over how their data is handled, stored and used.

Disclaimer: Before you read on this isn’t legal advice, I am not a lawyer so please don’t take this as legal advice, please consult a legal profession.

The General Data Protection Regulation (GDPR) is all about collecting and storing personal data.

Collecting large pools of data historically has always been a business asset, the more data you had the better, however from today that data is now a liability to a business. The EU has said fines for businesses not compiling are €20 million or 4% of global turnover – whichever is higher.

In this article, I am limiting it to the Server Logs and the impact this data can have regarding GDPR.

Types of Logs:

There are three main types of logs, two we cover on here quite a bit and one other.

1. Access Logs
2. Error Logs
3. Security Audit Logs

We only cover the first two here, but the GDPR does apply to all three.

All of these logs contain personal data which is covered under the GDPR. The main thing is they track IP of the users.

IP addresses are specifically defined as personal data per Article 4, Point 1; and Recital 49.

The logs can also contain usernames if your web service uses them as part of their URL structure, and even the referral information that is logged by default can contain personal information (e.g. unintended collection of sensitive data; like being referred from a sensitive-subject website). So as you can see quite a bit of personal data can be stored.

If you don’t have a legitimate reason for storing this data you should stop immediately. You are not even allowed by law to store this data without obtaining direct consent from the user. The less data you collect the lower the risk to your business.

Reasons to collect the data:

There are a couple of legitimate ways you might want to collect and store this data, mainly around security and fraud reasons.

This data must be stored for a set amount of time if it’s for the above reasons. I know we have covered in previous articles about ticking one box can allow you to do great server log analysis, but this can also put your business at risk. I believe you should still tick this box, and we will cover some steps you need to take.

Here are the sections of the law:

Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Article 6, Paragraph 1, Point F

“The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.”

Recital 49 (excerpt)

Notably, this doesn’t exempt such collection from the strict requirements of the GDPR. Gandalf the Grey offers some great advice on how you should treat personal data to achieve GDPR compliance in your organization:

“Keep it secret; keep it safe.”

 

Important Edit: After speaking with a GDPR specialist, so long as you only collect the IP address of the user you are fine and don’t need to make any changes. However, if you logs contain other data like usernames or order details etc then these are covered now as part of the new GDPR.

What can you do:

1. Stop Collecting server logs, I would highly recommend not doing this as they can offer a great insight
2. By Default most hosts only store the data for until the end of the month, change your privacy policy to reflect this.
3. Do what we are doing
   1. Updating your privacy policy to explain you are collecting server log data
   2. Explain this data will be deleted after a set piece of time (we went with 100 days – just so if someone is trying over a few weeks to get unauthorised access to the site – I wouldn’t bother there isn’t anything here, but just in case we have the data to hopefully stop them)
   3. After 100 days delete all the user data but keep the bot data, really unless it’s for security or fraud, its only really the bot data you need anyway
4. Ignore this article and keep collecting the data and hope the EU doesn’t come after you, again not highly recommended.

This means you still have a history of what the bots are doing on your site (there is nothing in the GDPR about bots) and you can do trend analysis, detailed monthly reporting etc, but your website is also compliant with the new GDPR law.

Disclaimer: Before you act on this article, it isn’t legal advice, I am not a lawyer so please don’t take this as legal advice, please consult a legal profession to make sure your website is complaint.

Summary

You need to become compliant, if you have EU visitors visiting your website, the fines aren’t worth the risk in my opinion. It’s quite easy to become compliant, and this article explains about becoming compliant regarding your server log data you have on visitors to your website.