GDPR IP Address Logging, Retention and Monitoring
The web server that hosts your website collects IP addresses of the website users.
This operation is required in order to communicate with your users’ web browsers. Without access to IP data, your web server will not be able to load your website into a user’s web browser. In other words, your website will not work.
Now under GDPR (per Article 4, Point 1; and Recital 49), an IP address is considered as personal data and your server logs contains this personal data.
Depending upon how your website and shopping cart has been configured, your server log files may contain more personal data (like usernames) than just the IP addresses.
A server log is a log file(s) that are automatically created and maintained by the server which hosts your website.
There are different type of log files:
- Access logs (track and record all the requests for individual files that users requested from your Website.
- Error logs (track and record different types of errors)
- Security logs (track and record security related events like login & logout activities, unauthorized access attempts )
Access and security logs are required to monitor and maintain website security.
Error logs are required to troubleshoot and maintain the website and server. So we can’t just disable logging in our web server.
We do have a legitimate need to store and maintain these log files.
And hence we can make a case of legitimate business interest for collecting IP addresses in server logs without explicit user consent:
“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data……”
Article 6, Paragraph 1, Point F
In fact according to one German court ruling: IP addresses in server logs is not personal data. But that is just the German court ruling and Germany is not the EU.
Regardless, under GDPR, you don’t need explicit user consent for any and all type of personal data processing.
But you still need to make sure that your processing of personal data is secure and you do not collect more personal data than you need.
Ask the following eight questions from your web host in order to gauge their GDPR compliance:
#1 How can I view access logs, error logs and security logs?
You need to audit your server logs, to see what type of personal data is being collected.
Now in order to do the audit, you would need access to your server logs. If your website is hosted on a shared server then you could be out of luck. You may not get access to server logs.
#2 How long you keep the access logs, error logs, and security logs before automatically deleting them?
In order to practice data minimization, you should consider deleting all log data, you no longer need. Consider deleting all log data older than a year. However, the more the better.
Web hosts generally do not delete log files and keep them until they start taking too much disk space and/or negatively affect the performance of your web server. They also won’t delete log data unless you ask them.
If your website is hosted on a shared server then you could be out of luck. You may not get the facility to delete log files.
Note: Deleting the logs will not have an adverse effect on the performance of your web server.
#3 Is there any setting through which I can delete these logs on my own?
Some web hosts allow deleting log files on your own. Others require that you submit a support request for log file deletions.
You must have the ability to delete the logs by their date and time. So if a user comes to you and ask to remove his entry from the server logs, you can do that without deleting all the log data from the webserver.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files.
#4 Is it possible to automate the deletion of old log files like after X days?
It is possible to automate the process of deleting log files after X days have elapsed. For example, you can automate the deletion of all log files older than a year.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files or automate log file deletion.
#5 Do you encrypt log files? If ‘no’ then how do I enable log files encryption?
These are very important questions. A lot of web hosts do not encrypt log files. However, you can ask them to enforce log file encryption.
If you do not encrypt your log files then in the event of a server breach/hack, the hackers can easily gain a lot of information about your website users from server logs.
Since encryption of log files is technically possible, you are providing inadequate security of your users’ personal data, if you choose not to encrypt your log files.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to enable or disable log file encryption. You also could not demand your web host to encrypt log file encryption. You can however try. I doubt they will entertain your request.
#6 How long are the logs kept unencrypted when they were first recorded?
You have to keep log files unencrypted for some time (at least a couple of hours), in order to detect and prevent unauthorized access.
#7 What steps you have taken to secure log data and limit the impact in the case of a server breach?
Once step is encrypting log files. Other steps could be enhanced web server security, restricted access, a secure connection (HTTPS) etc.
Again, if your website is hosted on a shared server then you are out of luck. You really have no control over the security of your web server. You may be sharing your website with hundreds or even thousands of other websites which may also include spammy websites, bots or hackers.
And when you are on a shared server, what other websites do can have a direct and negative impact on your website security and hence GDPR compliance.
#8 Can you send me the DPA (Data Processing Agreement) to sign?
If your website is on a dedicated third party server then your web host must send a signed DPA to you. Read this DPA carefully and then sign it.
If your web host does not send you DPA or refuse to send DPA then he is not GDPR compliant.
Related Articles:
The web server that hosts your website collects IP addresses of the website users.
This operation is required in order to communicate with your users’ web browsers. Without access to IP data, your web server will not be able to load your website into a user’s web browser. In other words, your website will not work.
Now under GDPR (per Article 4, Point 1; and Recital 49), an IP address is considered as personal data and your server logs contains this personal data.
Depending upon how your website and shopping cart has been configured, your server log files may contain more personal data (like usernames) than just the IP addresses.
A server log is a log file(s) that are automatically created and maintained by the server which hosts your website.
There are different type of log files:
- Access logs (track and record all the requests for individual files that users requested from your Website.
- Error logs (track and record different types of errors)
- Security logs (track and record security related events like login & logout activities, unauthorized access attempts )
Access and security logs are required to monitor and maintain website security.
Error logs are required to troubleshoot and maintain the website and server. So we can’t just disable logging in our web server.
We do have a legitimate need to store and maintain these log files.
And hence we can make a case of legitimate business interest for collecting IP addresses in server logs without explicit user consent:
“Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data……”
Article 6, Paragraph 1, Point F
In fact according to one German court ruling: IP addresses in server logs is not personal data. But that is just the German court ruling and Germany is not the EU.
Regardless, under GDPR, you don’t need explicit user consent for any and all type of personal data processing.
But you still need to make sure that your processing of personal data is secure and you do not collect more personal data than you need.
Ask the following eight questions from your web host in order to gauge their GDPR compliance:
#1 How can I view access logs, error logs and security logs?
You need to audit your server logs, to see what type of personal data is being collected.
Now in order to do the audit, you would need access to your server logs. If your website is hosted on a shared server then you could be out of luck. You may not get access to server logs.
#2 How long you keep the access logs, error logs, and security logs before automatically deleting them?
In order to practice data minimization, you should consider deleting all log data, you no longer need. Consider deleting all log data older than a year. However, the more the better.
Web hosts generally do not delete log files and keep them until they start taking too much disk space and/or negatively affect the performance of your web server. They also won’t delete log data unless you ask them.
If your website is hosted on a shared server then you could be out of luck. You may not get the facility to delete log files.
Note: Deleting the logs will not have an adverse effect on the performance of your web server.
#3 Is there any setting through which I can delete these logs on my own?
Some web hosts allow deleting log files on your own. Others require that you submit a support request for log file deletions.
You must have the ability to delete the logs by their date and time. So if a user comes to you and ask to remove his entry from the server logs, you can do that without deleting all the log data from the webserver.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files.
#4 Is it possible to automate the deletion of old log files like after X days?
It is possible to automate the process of deleting log files after X days have elapsed. For example, you can automate the deletion of all log files older than a year.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files or automate log file deletion.
#5 Do you encrypt log files? If ‘no’ then how do I enable log files encryption?
These are very important questions. A lot of web hosts do not encrypt log files. However, you can ask them to enforce log file encryption.
If you do not encrypt your log files then in the event of a server breach/hack, the hackers can easily gain a lot of information about your website users from server logs.
Since encryption of log files is technically possible, you are providing inadequate security of your users’ personal data, if you choose not to encrypt your log files.
If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to enable or disable log file encryption. You also could not demand your web host to encrypt log file encryption. You can however try. I doubt they will entertain your request.
#6 How long are the logs kept unencrypted when they were first recorded?
You have to keep log files unencrypted for some time (at least a couple of hours), in order to detect and prevent unauthorized access.
#7 What steps you have taken to secure log data and limit the impact in the case of a server breach?
Once step is encrypting log files. Other steps could be enhanced web server security, restricted access, a secure connection (HTTPS) etc.
Again, if your website is hosted on a shared server then you are out of luck. You really have no control over the security of your web server. You may be sharing your website with hundreds or even thousands of other websites which may also include spammy websites, bots or hackers.
And when you are on a shared server, what other websites do can have a direct and negative impact on your website security and hence GDPR compliance.
#8 Can you send me the DPA (Data Processing Agreement) to sign?
If your website is on a dedicated third party server then your web host must send a signed DPA to you. Read this DPA carefully and then sign it.
If your web host does not send you DPA or refuse to send DPA then he is not GDPR compliant.
Related Articles:
My best selling books on Digital Analytics and Conversion Optimization
Maths and Stats for Web Analytics and Conversion Optimization
This expert guide will teach you how to leverage the knowledge of maths and statistics in order to accurately interpret data and take actions, which can quickly improve the bottom-line of your online business.
Master the Essentials of Email Marketing Analytics
This book focuses solely on the ‘analytics’ that power your email marketing optimization program and will help you dramatically reduce your cost per acquisition and increase marketing ROI by tracking the performance of the various KPIs and metrics used for email marketing.
Attribution Modelling in Google Analytics and BeyondSECOND EDITION OUT NOW!
Attribution modelling is the process of determining the most effective marketing channels for investment. This book has been written to help you implement attribution modelling. It will teach you how to leverage the knowledge of attribution modelling in order to allocate marketing budget and understand buying behaviour.
Attribution Modelling in Google Ads and Facebook
This book has been written to help you implement attribution modelling in Google Ads (Google AdWords) and Facebook. It will teach you, how to leverage the knowledge of attribution modelling in order to understand the customer purchasing journey and determine the most effective marketing channels for investment.