[fixermark]

Nothing about data storage and manipulation is straightforward.

Is the web server software you're using logging network requests? Are those requests possibly considered PII? Congratulations, you now have to care about the GDPR.

https://www.ctrl.blog/entry/gdpr-web-server-logs

[PuffinBlue]

Which is to say you don't have to care much at all, seeing as you do NOT need to inform or obtain consent from users to keep web logs that serve a 'legitimate interest' such as fraud, security or spam prevention.

Obviously if you were in the business of leaving such data insecure for anyone to obtain or merrily selling it on to reap as much dollar from your visitors as possible then you may be in for a bad time.

Otherwise it's just best practice to do what GDPR says anyway in the example you provide.

[fixermark]

From the top of https://www.gdpreu.org/the-regulation/key-concepts/legitimat...

""" “Legitimate interest” may be among the most confusing concepts written into the GDPR, which is not helped by the amount of incorrect interpretations available when you search for the term online. """

It's going to be up to individual companies and orgs how much risk they want to absorb trying to sort this dimension themselves rather than hiring a professional; I suspect we agree on that. But I suspect quite a few companies will want to soak the cost of having a professional review this stuff rather than trust their own common sense (especially if their common sense is not European-originated but they plan to have European users).

[krageon]

It is not risk. If your relevant regulatory body decides that your reasons are not legitimate (and if you definitely are using them to prevent service degradation and don't keep them around forever, I don't see why they would) then they will tell you so you can alter it.

[fixermark]

Companies hate building business models and practices around "Well, if the regulator's cool with it, then..." That's the very sound risk makes.

[mywittyname]

This is one of the aspects of GDPR that gets blown out of proportion. You can keep IP addresses in your server logs if you can demonstrate that it's important to your business.

If you can't demonstrate that it's important to your business, then you can mask the IP addresses. This was a very common thing to do even before GDPR.

In other words, compliance in this respect is dead simple. If you need IP address information for a specific reason, then keep them. If you don't need it, then change your log format to omit them or turn on IP masking.