undefined | Better HN

0 pointsshafyy1y ago0 comments

It's not a clear and cut case with IPs. As you say, if your servers logs IPs that seems to be classified as "legitimate interest" (for security reasons). But if you use that data to track unique users for product dev, marketing etc. reasons, that's not "legitimiate" interest anymore. At least, this is my understanding.

For example, it would make stopping a DDoS attack much harder if you would need to anonymize IPs.

Here's some interesting discussion on this very topic: https://law.stackexchange.com/questions/28603/how-to-satisfy...

0 comments

ralferoo1y ago

Yeah, great point. It's how you process and store the data that's important.

One of the key rights individuals have is to request that ALL PII about them is deleted from all of your records, and you have to comply with this request within a certain timeframe, and a maximum of 30 days. This includes backups, logs, everything.

Obviously, it's impractical to try to edit old backups to remove PII, so you have to be careful how you deal with logs in the first place - you might want them to be backed up on another machine with a maximum lifetime of a few days, you might want to not back them up at all and only backup your aggregated data, etc.

But keeping logs for a few days can be justified for as you saying DDOS mitigation, post-failure root-cause-analysis, etc, but the defaults for that data should be to delete that data as soon as it's no longer useful for that purpose, which for most companies will be a couple of days, maybe another couple for the weekend. You can keep it still further, for instance for active analysis, but the default should be to delete it as soon as possible.

shafyyOP1y ago

Exactly. The best PII is no PII. If you need PII for security reasons, keep it as short as possible. Don't collect PII for marketing, product dev etc.

j / k navigate · click thread line to collapse