Error logs are the first port of call for any outage. Great error logs provide context and cause to a mysterious, 3am outage. Engineers often treat…
Organizations both small and large that deal with personal data must be compliant with GDPR rules. At Coralogix, we’ve been working hard to be prepared for GDPR logging and monitoring. Preparing your data for GDPR log management can be a daunting task, so we thought we’d shed some light on the issue.
The European Union’s (EU) General Data Protection Regulation, or GDPR, is a set of regulations designed to protect the privacy of EU citizens, particularly as the volume and pace of data generated is exploding. With privacy laws and data breaches being in the news of late, GDPR log retention is seen as a way for individuals to protect their data, access their data, and understand what is being done with that data.
The regulations come into effect on May 25, 2018, and in general, terms affect any EU organization, organizations with an EU presence, and organizations with EU customers. The penalties for those who should comply with the regulations are severe: companies could face penalties of up to €20 million or 4% of their annual worldwide revenue, whichever is higher.
GDPR aims to ensure certain key rights for individuals. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and the right not to be subject to automated decision-making including profiling.
Assisting users is one of the fundamental principles of Coralogix’s business, and so protecting users’ data and ensuring GDPR compliance is a natural extension of this and a priority for the company. To this end, we’re proud to declare that Coralogix is GDPR-ready.
Coralogix now runs its servers in Europe so EU citizens data doesn’t leave the continent, its infrastructure is SOC2 and PCI compliant as well as being GDPR ready. In addition to this, Coralogix’s application is certified by BDO to be SOC2 type2 compliant (security, availability, data Integrity) for 2018. A full report can be provided upon request. In order to make things easier for our customers facing GDPR regulations we have added a few features that are aimed at meeting the EU new standards:
Flexible data retention policies – change your retention plan upon request within 24H.
Data deletion – by date, or even by a specific key (e.g a specific customer requests to delete all his logs by email)
Available on the Coralogix website are our terms and conditions that spell out exactly what information is collected and why. Coralogix does not collect any personal information besides account username. It is the client’s responsibility to not send sensitive information to Coralogix’s servers.
In general, saving log data (specifically web servers which may contain PII) is allowed for a defined period (i.e retention period) for maintaining the customers’ systems availability and security.
Besides our data security policies and data encryption throughout the sending and storing chain, Coralogix offers ways to make sure PII isn’t saved and helps you clean up PII in case it did reach your log data.
Part of being GDPR compliant is ensuring that your log data is prepared for GDPR, including understanding the types of data that shouldn’t exist in logs. The points we offer here are general in nature, and we recommend obtaining legal advice to ensure full compliance.
First off, logs can contain information classified as “personal data” by default under GDPR regulations. In general, the GDPR regulations encourage organizations not to collect any information about users (let it be email addresses, phone numbers, or even IPs), unless there is documented and informed consent for this collection. It also aims to achieve, through regulation, for collected information not to be used for anything but the specific purposes that consent was given for.
This is a far cry from what has been happening up until now with log data, where the focus was on collecting and storing as much data as possible and storing this for as long as possible.
For instance, web server logs, access logs, and security audit logs all contain personal information by default as defined in the GDPR regulations, and IP addresses specifically are defined as personal data.
As a general rule, if there is not a legitimate need to store these logs, you should disable logging for these components. This type of information is not even allowed to store without having direct consent from the user, outlining the purposes you intend to store the information for.
In fact, it’s best to be on the side of caution and ensure that as little customer information is stored as possible, and even then only when necessary and only with consent – along with compliance with all the other GDPR requirements.
There is an important exception to this general rule, however: collecting and storing personal data as part of your ability to maintain the security and availability of your system and prevent fraud and/or unauthorized access, is allowed for a limited (declared) period of time.
In addition, for your application logs, make sure you don’t log any PII in your code, and define a clear retention policy so that data is periodically deleted and not stored forever. It is also important to have an easy way to track PII in your logs and delete it upon request, entirely or by a specific key/query.
Coralogix, as your GDPR-ready partner, is already on your side when it comes to this complex issue, and by ensuring that we are compliant you can rest assured that you have a strong partner with which to achieve your business goals.