The GDPR and personal data in web server logs

By April 30, 2018Blog, gdpr
Server logging

With the GDPR just around the corner, at the time of writing, there’s still a lot of work to do by businesses who utilise the Internet as their primary source of business. Businesses such as web hosting, email providers and such as defined in this context.

The problem here is, that under GDPR, IP addresses can be defined as personal information (depending upon the processing).  With just about every business that utilises the web, there is going to be some form of web server log being used, whether this is for debugging or general day-to-day use for maintenance, these logs are going to capture web requests with IP addresses.

Server logs

Web servers are setup by default to provide the user informative information, the most popular web servers, IIS, Apache and NGINX collect at least two of the following three types of logs available:

  • Access Logs
  • Error logs
  • Security audit logs

If you utilise the cloud by using Azure, Amazon AWS or another popular provider, you may be using load balancers as part of your infrastructure to provide resilience and availability to your application, these load balancers may also be providing logs. If this is the case, you will need to ensure that the logs are being stored within a datacentre located within the EEA.

These log files are going to contain personal information by default. Depending upon how the logs and web application are configured, they may also contain usernames which could help to build up a personal information profile of the person browsing the website.

If you don’t have a legitimate need for the storage of these logs, you should look at disabling the logging on your web server. By ensuring you are restricting the amount of personal information that is being stored, you are reducing the overall risk to your business.

Centralised logging

Centralised logging plays a big part to enterprises, it helps to consolidate all the different types of logs into one place to allow the administrators to easily access and search for information. This helps to speed up troubleshooting as well as build up trend analysis.  Products such as Elastic Search, SumoLogic and Splunk, to name a few will store this data for a specified period.

Legal basis for collection and storing without consent

Getting to the bottom line, under the GDPR, you are unable to collect and store any personal information without having obtained and proving that you have obtained implicit consent from the data subject you are storing the information from.

You can however, collect and store the personal information, which is made up from the server logs for the purposes of detecting and preventing fraud and unauthorised accesses for the maintaining of the security of your systems. The GDPR states:

Processing shall be lawful only if and to the extent that at least one of the following applies: […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Article 6, Paragraph 1, Point F

The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, […] by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned. This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.

With the GDPR in force, you should ensure that after a period of time, that you strip out all the IP addresses, usernames and any other personal information that is being logged in the system, to ensure that you are not storing personal information without consent.

Encryption, access and timely erasure

The GDPR is built around the protection of the data subject, this means that you (the business) needs to ensure you are doing everything you can to ensure that the information is kept safe and secure, whether on your systems of the third-party provider.

If you need to store logs, you should ensure that the log storage area is encrypted at rest, that access to the logs is restricted to a select few and not open to the entire business or internet. Lastly you should ensure that the logs are removed from the log storage area after a certain time frame.

If using a centralised logging provider, you should also ensure that any data that is sent to the provider is sent securely over HTTPS and that any personal data is pseudonymized to protect the information.

Summary

The key thing to remember is that anything that can potentially identify a living person can be classified as personal information, ensure that you only collect the information you absolutely need, then when you no longer need it, remove it.