undefined | Better HN

0 pointsmpfundstein7y ago0 comments

I never really felt the need to store ips actually

0 comments

You might not, but your webserver did. Or did you change the logging configuration of your webserver to not store or obfuscate IPs in the past?

pbhjpbhj7y ago

This law suggests a shift to assuming no consent for gathering of PII, only gathering data when you have informed consent and a justifiable business need.

In the case of web servers I can't see a problem with not recording IP if you're also gathering PII; or asking for permission in the PII submission; or say dropping the last digits from a dotted-quad as a default.

detaro7y ago

Consent is only one possible justification for processing, you do not need it for everything. It's more a shift to "processing PII is forbidden unless for one of the following reasons", consent being one of them, and requiring assigning purposes to collected data. You can't just have webserver logs piling up somewhere without reason, but you probably can have a policy like "We keep IP addresses for 48 hours for security purposes", if you have an appropriate security process needing that data.

NDizzle7y ago

You don't want to log access requests to your web servers based on IP? I disagree with you at pretty much the lowest, most fundamental level.

1 more reply

j / k navigate · click thread line to collapse