Ask these Eight Questions to make your Server Logs GDPR Compliant

The web server which host your website collect IP addresses of the website users.

This operation is required in order to communicate with your users’ web browsers.

Without access to IP data, your web server will not be able to load your website into a user’s web browser.

In other words, your website will not work.

Now under GDPR (per Article 4, Point 1; and Recital 49), an IP address is considered as personal data and your server logs contains this personal data.

Depending upon how your website and shopping cart has been configured, your server log files may contain more personal data (like usernames) than just the IP addresses.

A server log is a log file(s) which are automatically created and maintained by the server which host your website.

There are different type of log files:

  • Access logs (track and record all the requests for individual files that users requested from your Website.
  • Error logs  (track and record different types of errors)
  • Security logs (track and record security related events like: login & logout activities, unauthorized access attempts )

Access and security logs are required to monitor and maintain website security.

Error logs are required to troubleshoot and maintain website and server.

So we can’t just disable logging in our web server.

So we do have a legitimate need to store and maintain these log files.

And hence we can make case of legitimate business interest for collecting IP addresses in server logs without explicit user consent:

“Processing shall be lawful only if and to the extent that at least one of the following  applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of  personal data……”

Article 6, Paragraph 1, Point F

In fact according to one German court ruling: IP addresses in server logs is not personal data.

But that is just German court ruling and Germany is not EU.

Regardless, under GDPR, you don’t need explicit user consent for any and all type of personal data processing.

But you still need to make sure that your processing of personal data is secure and you do not collect more personal data than you need.

Ask the following eight questions from your webhost in order to gauge their GDPR compliance:

#1 How can I view access logs, error logs and security logs?

You need to audit your server logs, to see what type of personal data is being collected.

Now in order to do the audit, you would need access to your server logs.

If your website is hosted on a shared server then you could be out of luck. You may not get the access to server logs.

#2 How long you keep the access logs, error logs, and security logs before automatically deleting them?

In order to practice data minimization, you should consider deleting all log data, you no longer need. 

Consider deleting all log data older than a year. However more the better.

Web hosts generally do not delete log files and keep them until they start taking too much disk space and/or negatively affect the performance of your web server.

They also won’t delete log data unless you ask them.

If your website is hosted on a shared server then you could be out of luck. You may not get the facility to delete log files.

Note: Deleting the logs will not have an adverse effect on the performance of your web server.

#3 Is there any setting through which I can delete these logs on my own?

Some web hosts allow to delete log files on your own.

While others require that, you submit a support request for log file deletions.

You must have the ability to delete the logs by their date and time.

So if a user come to you and ask to remove his entry from the server logs, you can do that without deleting all the log data from the web server.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files.

#4 Is it possible to automate deletion of old log files like after X days?

It is possible to automate the process of deleting log files after X days have elapsed.

For example, you can automate the deletion of all log files older than a year.

If your website is hosted on a shared server then you could be out of luck.

You won’t get the facility to delete log files or automate log file deletion.

#5 Do you encrypt log files? If ‘no’ then how do I enable log files encryption?

This is very important questions.

Lot of web hosts do not encrypt log files.

However you can ask them to enforce log file encryption.

If you do not encrypt your log files then in the event of server breach/hack, the hackers can easily gain lot of information about your website users from server logs.

Since encryption of log files is technically possible, you are providing inadequate security of your users’ personal data, if you choose not to encrypt your log files.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to enable or disable log file encryption.

You also could not demand your web host to encrypt log file encryption. You can however try. I doubt they will entertain your request.

#6 How long are the logs kept unencrypted when they were first recorded?

You have to keep log files unencrypted for some time (at least couple of hours), in order to detect and prevent unauthorized access.

#7 What steps you have taken to secure log data and limit impact in the case of a server breach?

Once step is encrypting log files.

Other steps could be enhanced web server security, restricted access, secure connection (HTTPS) etc.

Again, if your website is hosted on a shared server then you are out of luck.

You really have no control over the security of your web server.

You may be sharing your website with hundreds or even thousands of other websites which may also include spammy websites, bots or hackers.

And when you are on shared server, what other websites do, can have direct and negative impact on your website security and hence GDPR compliance.

#8 Can you send me the DPA (Data Processing Agreement) to sign?

If your website is on a dedicated third party server then your web host must send a signed DPA to you.

Read this DPA carefully and then sign it.

If your web host does not send you DPA or refuse to send DPA then he is not GDPR compliant.

Related Articles:

Learn about the Google Analytics Usage Trends Tool

The Google Analytics usage trend is a new tool which is used to visualise trends in your Google Analytics data and to perform trend analysis.


Do you want to Learn Web Analytics in 4 Weeks?

  • Learn and Master Web Analytics, Conversion Optimization & Google Analytics from Industry Expert in 4 weeks.
  • Lifetime access to the course + Lifelong FREE course updates.
  • New study material added every few months (lifelong learning).
  • Up to date training material.
  • Most exhaustive course on Google Analytics on the internet.
  • Hundreds of Assessments to test your learning.
  • Your 24/7, 365 days a year reference source.
  • Learn at your own pace and from any place.
  • Risk Free with 30 days 100% Money Back Guarantee.

Take your Analytics knowledge to the next level. Checkout my Best Selling Books on Amazon

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and Beyond
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Himanshu Sharma

Certified web analyst and founder of OptimizeSmart.com

My name is Himanshu Sharma and I help businesses find and fix their Google Analytics and conversion issues. If you have any questions or comments please contact me.

  • Over eleven years' experience in SEO, PPC and web analytics
  • Google Analytics certified
  • Google AdWords certified
  • Nominated for Digital Analytics Association Award for Excellence
  • Bachelors degree in Internet Science
  • Founder of OptimizeSmart.com and EventEducation.com

I am also the author of three books:

error: Alert: Content is protected !!