GDPR Logging and Monitoring Best Practices
The EU General Data Protection Regulation (GDPR) was authored in 2016 and became applicable on May 25th of 2018. You can read the regulation in its entirety in this PDF. If you have legal questions about GDPR and how it applies to your organization, you should seek the advice of a professional who is familiar with the regulation.
In this article, we’ll discuss how some of the aspects in the regulation apply to log collection practices in general, including some which you might find surprising. We’ll also talk about some precautions you can take to ensure you are compliant with these laws, and some best practices to implement to protect your customers.
What is GDPR and What Does It Regulate?
If you weren’t aware of GDPR before, you probably were after the tidal wave of privacy-related emails that invaded your inbox in May of 2018. GDPR is a collection of 99 articles which describe the rights of individuals concerning the collection of their data, and the obligations of organizations which collect that information.
Under the GDPR, consumers have rights to:
- Be informed about how their personal data is used.
- Access what information is stored about them.
- Rectify data if it is incomplete or inaccurate.
- Be forgotten and have all their data erased; no questions asked.
- Restrict how and when their data is processed.
- Retain and use their data for their own purposes.
- Object to use of their personal data.
- Protection against the risks of automated decisions.
The GDPR is an attempt to harmonize laws across the European Union, and as one of the most comprehensive and restrictive regulations of its type, it has become the de-facto standard under which organizations operate. Organizations which don’t abide by the articles laid out may be subject to investigations and are at risk for significant fines.
What Data is Covered by GDPR
GDPR covers the use of personal information. Information such as a user’s name, date of birth, and address is personal. The definition in the GDPR also classifies personal information as any characteristic which can be used to identify a person, from physical and physiological traits to cultural and social identities. It also covers any information assigned to an individual, such as credit card numbers, license numbers and even company-assigned identification numbers.
The law also covers less explicit information, which is where some of the surprises start to appear. Information about a person’s schedule is considered personal, as well as location information, including their IP address.
Private Information and Logging
As IT professionals, logs are a veritable goldmine of information. They allow us to monitor the health of our applications and view what is being processed in near-real time. Logs also allow us to troubleshoot problems which our consumers experience in our applications. If a consumer has experienced unusual behavior or has been unable to access parts of our application, we can search through the application logs to build a picture of their activity and understand what went wrong.
We likely use unique user IDs, IP addresses, location information, and payment information throughout our logs. We might safeguard it better due to fiduciary responsibilities, but if we removed all personal information, our logs would lose significant value.
Fortunately, the GDPR does allow for the legitimate use of a consumer’s personal information, as long as we take the necessary precautions to protect it, and we’re transparent about how we’re using it. We also need to take into account their rights, as defined, and ensure that we build processes which can remove or migrate their data if that is their request.
Let’s consider some actions we can take to mitigate some of this risk.
Best Practice 1: Keep Logs Only as Long as You Need
Audit your logs and determine what information they contain. Once you understand the value of the information, assess how the value changes over time. In consultation with your legal, financial and human resource personnel, develop a policy which specifies how long log records should be retained, and implement practices which automatically delete logs when the GDPR log retention period ends.
Best Practice 2: Encrypt Your Logs Where Possible and Monitor Access
Log encryption is your first line of defense against unauthorized access. The GDPR guidelines expect organizations to provide adequate security around personal data, and encryption is one way to provide that security. If logs are to be retained for an extended time, ensure that the storage platform is secure.
Access to logs should be limited only to those who require it, and the access should be monitored and subject to regular audits. A centralized logging platform like LogDNA provides compliance out of the box.
Best Practice 3: View GDPR Compliance as an Investment
In addition to compliance and avoidance of a GDPR violation and subsequent fine, the protection of your consumers’ information helps establish a bond of trust between you and your user base. A better relationship with your users can only benefit your organization in the long term.
As you consider how your organization can improve data protection in the GDPR era, look for ways to make your organization more efficient as well. Consolidating platforms makes management of your users’ data easier, and allows you to build better processes around maintaining that data. The process may also make your organization more efficient.