Ask these Eight Questions to make your Server Logs GDPR Compliant

The web server which host your website collect IP addresses of the website users.

This operation is required in order to communicate with your users’ web browsers.

Without access to IP data, your web server will not be able to load your website into a user’s web browser.

In other words, your website will not work.

Now under GDPR (per Article 4, Point 1; and Recital 49), an IP address is considered as personal data and your server logs contains this personal data.

Depending upon how your website and shopping cart has been configured, your server log files may contain more personal data (like usernames) than just the IP addresses.

A server log is a log file(s) which are automatically created and maintained by the server which host your website.

There are different type of log files:

  • Access logs (track and record all the requests for individual files that users requested from your Website.
  • Error logs  (track and record different types of errors)
  • Security logs (track and record security related events like: login & logout activities, unauthorized access attempts )

Access and security logs are required to monitor and maintain website security.

Error logs are required to troubleshoot and maintain website and server.

So we can’t just disable logging in our web server.

So we do have a legitimate need to store and maintain these log files.

And hence we can make case of legitimate business interest for collecting IP addresses in server logs without explicit user consent:

“Processing shall be lawful only if and to the extent that at least one of the following  applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of  personal data……”

Article 6, Paragraph 1, Point F

In fact according to one German court ruling: IP addresses in server logs is not personal data.

But that is just German court ruling and Germany is not EU.

Regardless, under GDPR, you don’t need explicit user consent for any and all type of personal data processing.

But you still need to make sure that your processing of personal data is secure and you do not collect more personal data than you need.

Ask the following eight questions from your webhost in order to gauge their GDPR compliance:

#1 How can I view access logs, error logs and security logs?

You need to audit your server logs, to see what type of personal data is being collected.

Now in order to do the audit, you would need access to your server logs.

If your website is hosted on a shared server then you could be out of luck. You may not get the access to server logs.

#2 How long you keep the access logs, error logs, and security logs before automatically deleting them?

In order to practice data minimization, you should consider deleting all log data, you no longer need. 

Consider deleting all log data older than a year. However more the better.

Web hosts generally do not delete log files and keep them until they start taking too much disk space and/or negatively affect the performance of your web server.

They also won’t delete log data unless you ask them.

If your website is hosted on a shared server then you could be out of luck. You may not get the facility to delete log files.

Note: Deleting the logs will not have an adverse effect on the performance of your web server.

#3 Is there any setting through which I can delete these logs on my own?

Some web hosts allow to delete log files on your own.

While others require that, you submit a support request for log file deletions.

You must have the ability to delete the logs by their date and time.

So if a user come to you and ask to remove his entry from the server logs, you can do that without deleting all the log data from the web server.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files.

#4 Is it possible to automate deletion of old log files like after X days?

It is possible to automate the process of deleting log files after X days have elapsed.

For example, you can automate the deletion of all log files older than a year.

If your website is hosted on a shared server then you could be out of luck.

You won’t get the facility to delete log files or automate log file deletion.

#5 Do you encrypt log files? If ‘no’ then how do I enable log files encryption?

This is very important questions.

Lot of web hosts do not encrypt log files.

However you can ask them to enforce log file encryption.

If you do not encrypt your log files then in the event of server breach/hack, the hackers can easily gain lot of information about your website users from server logs.

Since encryption of log files is technically possible, you are providing inadequate security of your users’ personal data, if you choose not to encrypt your log files.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to enable or disable log file encryption.

You also could not demand your web host to encrypt log file encryption. You can however try. I doubt they will entertain your request.

#6 How long are the logs kept unencrypted when they were first recorded?

You have to keep log files unencrypted for some time (at least couple of hours), in order to detect and prevent unauthorized access.

#7 What steps you have taken to secure log data and limit impact in the case of a server breach?

Once step is encrypting log files.

Other steps could be enhanced web server security, restricted access, secure connection (HTTPS) etc.

Again, if your website is hosted on a shared server then you are out of luck.

You really have no control over the security of your web server.

You may be sharing your website with hundreds or even thousands of other websites which may also include spammy websites, bots or hackers.

And when you are on shared server, what other websites do, can have direct and negative impact on your website security and hence GDPR compliance.

#8 Can you send me the DPA (Data Processing Agreement) to sign?

If your website is on a dedicated third party server then your web host must send a signed DPA to you.

Read this DPA carefully and then sign it.

If your web host does not send you DPA or refuse to send DPA then he is not GDPR compliant.

Related Articles:

 

Do you know the difference between Digital Analytics and Google Analytics?


99.99% of course creators themselves don’t know the difference between Digital analytics, Google Analytics (GA) and Google Tag Manager (GTM).

So they are teaching GA and GTM in the name of teaching Digital analytics.

They just copy each other. Monkey see, monkey do.

But Digital analytics is not about GA, GTM.

It is about analyzing and interpreting data, setting up goals, strategies and KPIs.

It’s about creating strategic roadmap for your business.


Digital Analytics is the core skill. Google Analytics is just a tool used to implement ‘Digital Analytics’.

You can also implement ‘Digital analytics’ via other tools like ‘adobe analytics’, ‘kissmetrics’ etc.

Using Google Analytics without the good understanding of ‘Digital analytics’ is like driving around in a car, in a big city without understanding the traffic rules and road signs.

You are either likely to end up somewhere other than your destination or you get involved in an accident.


You learn data analysis and interpretation from Digital analytics and not from Google Analytics.

The direction in which your analysis will move, will determine the direction in which your marketing campaigns and eventually your company will move to get the highest possible return on investment.

You get that direction from ‘Digital analytics’ and not from ‘Google Analytics’.


You learn to set up KPIs, strategies and measurement framework for your business from ‘Digital analytics’ and not from ‘Google Analytics’.

So if you are taking a course only on 'Google Analytics’, you are learning to use one of the tools of ‘Digital analytics’. You are not learning the ‘Digital analytics’ itself.

Since any person can learn to use Google Analytics in couple of weeks, you do no get any competitive advantage in the marketplace just by knowing GA.

You need to know lot more than GA in order to work in digital analytics and marketing field.


So what I have done, if you are interested, is I have put together a completely free training that will teach you exactly how I have been able to leverage digital analytics to generate floods of news sales and customers and how you can literally copy what I have done to get similar results.

Here what You'll Learn On This FREE Web Class!


1) The number 1 reason why most marketers and business owners are not able to scale their advertising and maximise sales.

2) Why you won’t get any competitive advantage in the marketplace just by knowing Google Analytics.

3) The number 1 reason why conversion optimization is not working for your business.

4) How to advertise on any marketing platform for FREE with an unlimited budget.

5) How to learn and master digital analytics in record time.

 
 

My best selling books on Digital Analytics and Conversion Optimization

Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.

Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.

Attribution Modelling in Google Analytics and Beyond
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.

Attribution Modelling in Google Ads and Facebook
This book has been written to help you implement attribution modelling in Google Ads (Google AdWords) and Facebook. It will teach you, how to leverage the knowledge of attribution modelling in order to understand the customer purchasing journey and determine the most effective marketing channels for investment.

Himanshu Sharma

Digital Marketing Consultant and Founder of Optimizesmart.com

Himanshu helps business owners and marketing professionals in generating more sales and ROI by fixing their website tracking issues, helping them understand their true customers purchase journey and helping them determine the most effective marketing channels for investment.

He has over 12 years experience in digital analytics and digital marketing.

He was nominated for the Digital Analytics Association's Awards for Excellence.

The Digital Analytics Association is a world renowned not-for-profit association which helps organisations overcome the challenges of data acquisition and application.

He is the author of four best-selling books on analytics and conversion optimization:

error: Alert: Content is protected !!