GDPR Aspects

Hello @luckilyhappy

Thank you for showing interest in our plugin. Below are all the answers to your questions:

The personal identifiable data that the plugin keeps a log of are the IP address and also the WordPress username, which is also PID. It does not use any cookies or any other pieces of data.

It is important to point out that:

a) a plugin or a software cannot be GDPR compliant. A website or a complete service has to be GDPR compliant.

b) GDPR does not restrict you from keeping a record of PID. GDPR is about enforcing website / online services owners being transperant about what they do with the users’ data. In fact such data is needed in the logs, otherwise the logs have no value from the security and management point of view.

c) In fact GDPR requires you to keep a log of who accesses specific data etc.

So the aim here is not to strip the data from the logs, but to tell the users about what data are you keeping and what you are doing with it. We wrote about this in more detail in;

– Can I use WP Activity Log on GDPR compliant websites?
– Enhancing your GDPR toolkit with the WordPress activity log

We have also prepared a privacy policy template for users like you, who would like to use the plugin on their website. Here it is: https://wpactivitylog.com/policy-notice/#plugin_notice.

The data is stored in the WordPress database or in an external database (optional). You can read more on how the data is stored in the activity log database documentation.

The plugin also has a Purge Activity Log button, which when used it deletes all the logs.

In regards to plugin retention, I am afraid that the least amount of time you can keep the logs for is 1 month.

If I may, instead of approaching GDPR this way, and worrying on how to delete data, all you need to do is tell the users what you are doing with the data. If you iron that out, you should not have any problems and your website will be 100% compliant.

I hope that helps. Should you have any further questions, please do not hesitate to ask.

Hi @wpwhitesecurity,

Thank you for your extensive response. I had not worded my question correctly there. You are, of course, right about what you are saying about the compliance of software or plugins. In general, you are also right to remind that a lot is really about giving information.

However: As for the 1 month period: I think this is a point where it may or may not be enough to just tell users what one does. In the end, that – unfortunate for at least one of the participants, then – may be settled in court (hopefully, of course, by the formation of a general legal opinion before that). For the question is: what is the necessary period one needs to store a certain information. And to store it beyond that can be problematic. I have compared how sample privacy declarations, privacy declaration generators etc. generally select the period of time. While in certain, mostly special and security related cases, there may be a need for a lonoger period of storage, perhaps even to be decided after a careful weighing of all factors for each case according to the principle of proportionality, generally speaking, what I have found has varied from 7 days two roughly a month. Yet, one of the most famous academics in IT-privacy law in Germany, for example, has selected 7 days in his sample privacy declaration. In not wishing to take any risk, I have decided, for most use cases, to generally limit the storage to 7 days. As court rulings have been quite strict recently in the field of privacy, I believe it is better to wander on the less risky side of it.

Along these lines, I think it would be worth including such an option.

But as the data are stored in a database, maybe I can delete them simply there?

• This reply was modified 4 years, 3 months ago by lovinglyhappy.
• This reply was modified 4 years, 3 months ago by lovinglyhappy.

Hello @luckilyhappy

Thank you for your feedback.

I think the settings of the activity log retention policies vary a lot from business to business. It depends on the type of logs, the purpose of the logs etc. For example many financial institutions are required by law to keep logs for up to 8 years.

I do not know what the nature of your business is and why are you keeping the logs. However, from the security point of view one is definitely required to keep the logs for more than 7 days. In most cases people keep logs for at least a year.

Having said that, we might add a filter or update the setting to allow the users to specify days in the activity log retention settings. If you would like to keep yourself updated on our plugin updates, please subscribe to our newsletter.

Hello @wpwhitesecurity,

Thank you, yes, please consider that. Your statement about the security of point will, of course, help with arguing. Nevertheless, for those more worrying about law and fines than about security (but still wishing to do something about the latter), I believe such a setting might help. You could combine such a setting with the warning you have just given (maybe colour it “red”, and other less “dangerous”, but also add a warning that it will be an different case according to the laws that might apply in each case). I believe that would also help with what you have said – your plugin is used worldwide, certainly neither only in the U.S. nor the E.U., so best to keep it flexible and remind everyone how different rules can really be.

Thank you again for taking the time and such a helpful response.