Ask these Eight Questions to make your Server Logs GDPR Compliant

The web server which host your website collect IP addresses of the website users.

This operation is required in order to communicate with your users’ web browsers.

Without access to IP data, your web server will not be able to load your website into a user’s web browser.

In other words, your website will not work.

Now under GDPR (per Article 4, Point 1; and Recital 49), an IP address is considered as personal data and your server logs contains this personal data.

Depending upon how your website and shopping cart has been configured, your server log files may contain more personal data (like usernames) than just the IP addresses.

A server log is a log file(s) which are automatically created and maintained by the server which host your website.

There are different type of log files:

  • Access logs (track and record all the requests for individual files that users requested from your Website.
  • Error logs  (track and record different types of errors)
  • Security logs (track and record security related events like: login & logout activities, unauthorized access attempts )

Access and security logs are required to monitor and maintain website security.

Error logs are required to troubleshoot and maintain website and server.

So we can’t just disable logging in our web server.

So we do have a legitimate need to store and maintain these log files.

And hence we can make case of legitimate business interest for collecting IP addresses in server logs without explicit user consent:

“Processing shall be lawful only if and to the extent that at least one of the following  applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of  personal data……”

Article 6, Paragraph 1, Point F

In fact according to one German court ruling: IP addresses in server logs is not personal data.

But that is just German court ruling and Germany is not EU.

Regardless, under GDPR, you don’t need explicit user consent for any and all type of personal data processing.

But you still need to make sure that your processing of personal data is secure and you do not collect more personal data than you need.

Ask the following eight questions from your webhost in order to gauge their GDPR compliance:

#1 How can I view access logs, error logs and security logs?

You need to audit your server logs, to see what type of personal data is being collected.

Now in order to do the audit, you would need access to your server logs.

If your website is hosted on a shared server then you could be out of luck. You may not get the access to server logs.

#2 How long you keep the access logs, error logs, and security logs before automatically deleting them?

In order to practice data minimization, you should consider deleting all log data, you no longer need. 

Consider deleting all log data older than a year. However more the better.

Web hosts generally do not delete log files and keep them until they start taking too much disk space and/or negatively affect the performance of your web server.

They also won’t delete log data unless you ask them.

If your website is hosted on a shared server then you could be out of luck. You may not get the facility to delete log files.

Note: Deleting the logs will not have an adverse effect on the performance of your web server.

#3 Is there any setting through which I can delete these logs on my own?

Some web hosts allow to delete log files on your own.

While others require that, you submit a support request for log file deletions.

You must have the ability to delete the logs by their date and time.

So if a user come to you and ask to remove his entry from the server logs, you can do that without deleting all the log data from the web server.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to delete log files.

#4 Is it possible to automate deletion of old log files like after X days?

It is possible to automate the process of deleting log files after X days have elapsed.

For example, you can automate the deletion of all log files older than a year.

If your website is hosted on a shared server then you could be out of luck.

You won’t get the facility to delete log files or automate log file deletion.

#5 Do you encrypt log files? If ‘no’ then how do I enable log files encryption?

This is very important questions.

Lot of web hosts do not encrypt log files.

However you can ask them to enforce log file encryption.

If you do not encrypt your log files then in the event of server breach/hack, the hackers can easily gain lot of information about your website users from server logs.

Since encryption of log files is technically possible, you are providing inadequate security of your users’ personal data, if you choose not to encrypt your log files.

If your website is hosted on a shared server then you could be out of luck. You won’t get the facility to enable or disable log file encryption.

You also could not demand your web host to encrypt log file encryption. You can however try. I doubt they will entertain your request.

#6 How long are the logs kept unencrypted when they were first recorded?

You have to keep log files unencrypted for some time (at least couple of hours), in order to detect and prevent unauthorized access.

#7 What steps you have taken to secure log data and limit impact in the case of a server breach?

Once step is encrypting log files.

Other steps could be enhanced web server security, restricted access, secure connection (HTTPS) etc.

Again, if your website is hosted on a shared server then you are out of luck.

You really have no control over the security of your web server.

You may be sharing your website with hundreds or even thousands of other websites which may also include spammy websites, bots or hackers.

And when you are on shared server, what other websites do, can have direct and negative impact on your website security and hence GDPR compliance.

#8 Can you send me the DPA (Data Processing Agreement) to sign?

If your website is on a dedicated third party server then your web host must send a signed DPA to you.

Read this DPA carefully and then sign it.

If your web host does not send you DPA or refuse to send DPA then he is not GDPR compliant.

Related Articles:

Take the Course

Most Popular E-Books from OptimizeSmart

Learn to read e-commerce reports book banner

Check out my best selling books on Web Analytics and Conversion Optimization on Amazon

How to get lot more useful information?

I share lot more useful information on Web Analytics and Google Analytics on LinkedIn then I can via any other medium. So there is really an incentive for you, to follow me there.

Himanshu Sharma

Certified web analyst and founder of OptimizeSmart.com

My name is Himanshu Sharma and I help businesses find and fix their Google Analytics and conversion issues. If you have any questions or comments please contact me.

  • Over twelve years' experience in SEO, PPC and web analytics
  • Google Analytics certified
  • Google AdWords certified
  • Nominated for Digital Analytics Association Award for Excellence
  • Bachelors degree in Internet Science
  • Founder of OptimizeSmart.com and EventEducation.com

I am also the author of four books:

error: Alert: Content is protected !!