GDPR compliance questions

1. BPS does collect any personal data. The only data that is recorded/logged are the log entries in the BPS Security Log text file. The data that is logged by the Security Log are these things below. Important Note: BPS only logs errors in the Security Log: 400, 403, 403, 405 and 410 errors. BPS does not log all visitors to a website.

REMOTE_ADDR: The IP address of a website visitor (regular, hacker or spammer visitors)
Host Name: The host name of a website visitor (regular, hacker or spammer visitors)
HTTP_REFERER: The URL where the visitor was referred from if any.
REQUEST_URI: The URI|URL on a website where the visitor went.
QUERY_STRING: The Query String that was used in the Request/website visit.
HTTP_USER_AGENT: The Browser User Agent used by the visitor.

2. The data/log entries for the BPS Security Log is stored in this text file: /wp-content/bps-backup/logs/http_error_log.txt.

3. The Security Log data/log entries are stored in this file: /wp-content/bps-backup/logs/http_error_log.txt until the Security Log file reaches the max size setting that you have chosen and when the max size is reached the Security Log file is automatically zipped and emailed to you. A new blank Security Log file is created and the process repeats itself.

4. BPS does not set any Cookies for itself. BPS only allows you to change the existing WordPress Cookie settings by using the Auth Cookie Expiration (ACE) feature in BPS.

5. NA since BPS does not collect any personal data.

• This reply was modified 6 years, 10 months ago by AITpro.

Hi

Thank you – that’s really helpful.

One thing though – my understanding is that IP addresses are considered personal data for the purposes of GDPR.

thanks again
Mariette

Hmm that is odd because Public IP addresses used on the Internet are literally public and not any kind of “secret” or “private” thing. ?? I will take a look at the GDPR again and see if there are different cases of when, what, where and how an IP address is logged. I believe the goal of the GDPR is to prevent data collection abuse and something like log file logging is not something I would consider data “farming” or “harvesting” or abuse. All web hosts log all visitor visits to a website in their server log files, but those server log files are not publicly accessible and are not used as any sort of data collection thing beyond the website owner’s own personal use or the web host’s tech support personal use.

BPS only logs log entries when a problem or hacking attempt or spam attempt occurs. BPS does not log all visitors to a website.

• This reply was modified 6 years, 10 months ago by AITpro.
• This reply was modified 6 years, 10 months ago by AITpro.
• This reply was modified 6 years, 10 months ago by AITpro.

I have read that an IP address should be considered personal data as it enters the scope of ‘online identifiers’. See here (bottom of the page): https://eugdprcompliant.com/personal-data/

I agree that logging for security purposes is legitimate. I think it would come under the category of ‘legitimate interest’ as a lawful basis for processing – but I’m no expert or lawyer!

By the way, would it be possible to put this data protection info on a page on your website, so I can link to it (for clients’ data processing agreement etc)?

That would be really helpful…

THE IP ADDRESS (IN SOME CASES)
A much discussed topic is the IP address. The GDPR states that IP addresses should be considered personal data as it enters the scope of ‘online identifiers’. Of course, in the case of a dynamic IP address – which is changed every time a person connects to a network – there has been some legitimate debate going on as to whether it can truly lead to the identification of a person or not. The conclusion is that the GDPR does consider it as such. The logic behind this decision is relatively simple. The internet service provider (ISP) has a record of the temporary dynamic IP address and knows to whom it has been assigned. A website provider has a record of the web pages accessed by a dynamic IP address (but no other data that would lead to the identification of the person). If the two pieces information would be combined, the website provider could find the identity of the person behind a certain dynamic IP address. However, the chances of this happening are small, as the ISP has to meet certain legal obligations before it can hand the data to a website provider. The conclusion is, all IP addresses should be treated as personal data, in order to be GDPR compliant.

The statement above kind of reminds me of Mark Zuckerberg’s Congressional testimony to Senators who were completely out of their depth. ?? It is a generic and general all-purpose type of thing that is pointless and silly, but it is always better to comply with anything instead or resisting it no matter how ignorant it is. ??

Yep, we will create an official GDPR info page on our forum site after we have reviewed the GDPR again to figure out exactly what we need to do and say to satisfy the GDPR. That will happen sometime in the next few days. I will post the link to the GDPR info page once it has been created.

I can’t resist this jab – An analogy to me for the GDPR treating IP addresses as personal data is the same thing as considering a car’s license plate as personal data > totally silly. ??

• This reply was modified 6 years, 10 months ago by AITpro.

Thanks very much for the GDPR info page – really helpful.

And, hahaha, that’s so true about the licence plate analogy. It’s all got a bit out of hand, hasn’t it…!

Yep, they are just going a bit to far, but the primary reasons for the GDPR are very valid. ??

Ok I have created a BPS GDPR Compliance forum topic here > https://forum.ait-pro.com/forums/topic/bps-gdpr-compliance/. I think this makes it crystal clear that BPS Security Logging is “safe” and not malicious or nefarious or unscrupulous. If someone does still not feel comfortable using BPS Security Logging then they can Turn Off/Disable BPS Security Logging.

Let me know if you think there is anything else I should add to the BPS GDPR Compliance forum topic.

Thanks

Hmm just thought of a better idea. Add a new option that allows someone to choose whether or not IP addresses are logged in the Security Log text file. That would allow them to continue to use the Security Log feature without worrying about GDPR compliance and legal responsibilities. ??

Hi, sorry for the delayed response (we had a bank holiday yesterday in the UK).

I think that page is excellent, and a great idea to add the feature to turn off IP logging.

My only comment would be that the bit about where the log is stored and that nothing is added to the database would be helpful at the top of the page – those seem like crucial details to me.

Assuming all questions have been answered – the thread has been resolved. If the issue/problem is not resolved or you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.