GDPR and web server logs

With GDPR effectively active it means IP addresses in web server logs or passed on in analytics tracking calls are to be treated as PII.

Anonymizing IPs

Anonymized IP numbersActivation of IP anonymization is necessary as IP data can be used as personally identifiable information (PII), and in any decent tool this should be possible to activate with little effort.

If Google Analytics is in use on your site then this should be active, for a more in depth explanation visit the IP Anonymization in Google Analytics page.

As it might be a bit cumbersome to roll out this setting, if you are not using a tag management solution, but in a post GDPR world it is urgent as this must be sorted.

Yes, this is one reason why a tag management system or a JavaScript "bucket" saves a ton of work.

IPs in web server logs

The false sensation of having done anonymization right with your tracking solution evaporates at this point when the realization of IPs in web server logs kicks in. Not only web tracking stores IPs, in fact most internet connected servers generate log files packed with IP data.

Massive crush on shared IP for web sitesIf your website, like this one, shares IP number with other websites then very likely all the visiting IP's will be stored in one or several common log files.

This is one reason why hosting companies have denied website owners log file access, and with regards to GDPR created vague Data Processing Agreements (DPA) falsely claim to be data collectors or just simply obstruct log access.

The sheer amount of sites sharing an IP can be found when doing a reverse IP lookup (try ViewDNS.info), the combo of silly hosting provider, packed web server, and no log access are good reasons to move on.

After several attempts demanding access to log files it become evident that the hosting company was after several years of solid service no longer an option. After move to a far more flexible hosting provider this site has a far better service but also log file access.

Web server log file access

Once access to the log files is possible then anonymization and/or setting up a log retention policy is possible. As the log retention of the hosting company (for audit / abuse monitoring) might differ it is recommended to verify with them that they comply regarding logs they collect. Normally the DPA should regulate this.

External link:

Webbanalys.se - Hosting provider history