The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. Processing shall be lawful only if and to the extent that at least one of the following applies: (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Here are the relevant excerpts from the GDPR that allows data collection for this type of purposes: You can, however, still collect and store personal data in your server logs for the limited and legitimate purpose of detecting and preventing fraud and unauthorized system access, and ensuring the security of your systems. You can’t collect and store any personal data without having obtained, and being able to document that you obtained, consent from the persons you’re collecting data from. Legal basis for collecting and storing logs without consent The less customer information you store the lower the risk to your organization. You’re not even allowed to store this type of information without having obtained direct consent for the purposes you intend to store the information for from the persons you’re storing information about. If you don’t have a legitimate need to store these logs you should disable logging in your web server.
unintended collection of sensitive data like being referred from a sensitive-subject website. The logs can also contain usernames if your web service uses them as part of their URL structure, and even the referral information that’s logged by default can contain personal information, e.g. IP addresses are specifically defined as personal data per Article 4, Point 1, and Recital 49. Error logs (including processing-language logs like PHP)Īll of these logs contain personal information by default under the new regulation.The default configuration of popular web servers including Apache Web Server and Nginx collect and store at least two of the following three types of logs: I’ll not go through the entire GDPR and all the requirements, but focus on some actionable points.
I’ve limited the scope of this article to discuss and focus on some of the technical requirements surrounding personal data collected by default in the logs generated by popular web server software. The GDPR turns big-data collection of personal data on the web from an asset into a liability with fines as high as 20 000 000 Euro or 4 % of global revenue (whichever is greater.) The General Data Protection Regulation shifts the default operating mode for personal data collection from collect and store as much information about everyone as possible for all eternity to don’t collect any information about anyone unless there’s documented and informed consent for the collection, and don’t use that information for anything but the specified purposes.
This article is provided for entertainment purposes, and amounts to nothing but my interpretation of the GDPR. Contact your legal counsel for help interpreting and implementing the GDPR. Just about everyone needs to take action now to become compliant.ĭisclaimer: I’m not a lawyer and I’m not providing you legal advice. The new privacy regulation comes in effect from May 2018. Web server logs contain information classified as personal data by default under the European Union’s General Data Protection Regulation ( GDPR).