> That’s not true, and for many companies this is just a simple business decision.
But likely based on incorrect advice.
You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.
If you ask US-trained lawyers (especially those with exposure to the tech or financial sectors) to perform an impact assessment of a European regulation, don't be surprised to receive a full-on Chicken Little response.
The reality is that the law is not a programming language and compliance is about alignment with principles, not blindly following a set of rules.
Sounds like he analyzed if very closely, so probably not base on incorrect advice.
And I’m guessing he can’t share too much about why since he has said its based on architectural decisions, which might reveal business secrets.
The biggest reason I don’t like complying with GDPR is the IP address situation- I’m going to continue to track them and I’m not going delete them because somebody requested.
> I’m not going delete them because somebody requested.
Why do you think you need to delete them when requested to do so? Can you point me to the bit of the regulation that makes you think that's a requirement?
When I read it, I see that the "The data subject shall have the right to ... erasure of personal data ... where one of the following grounds applies: ... the data subject withdraws consent...."
I imagine that HTTP logs associating URLs and IPs are personal data because they associate users with activity, so they would have to be removed.
It's pretty hard to destroy individual log lines (they're often aggregated in zipped files, for instance), and logs show up in lots of places: your load balancer may log, your web server may log, your application may log, those logs may be backed up to tape, you might have debug logs captured for analysis from any of these systems, and those debug logs might be present on developer machines, not on servers or long-term storage.
That basically means that if any user asks to have their data erased, you have to figure out whether they owned that IP address at that time (so they can't ask for others' information to be removed), then delete all those logs, potentially rewriting your whole tape archive(!), potentially having developers destroy the debugging info they were using to track down a memory leak or whatever (on laptops, or in the ticketing system, or in heap dumps, or wherever it might be).
It's pretty easy to say "don't keep logs of IP addresses", but that's one of the major ways people detect malicious traffic, e.g. spam, denial-of-service attacks, and break-in attempts. It's hard to live without that.
Am I reading something wrong? Is there something I missed in that section that makes it easier?
Is "so we can look for malicious traffic" enough of a legal ground for processing to keep personal information around indefinitely even if the user asked for it to be removed? I can't imagine that's so, as that would be a pretty big loophole.
> the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
There are several justifications for procesing user data. One of them is consent. But there are others. One is "legitimate need". You're not using user consent to process this log data, you're using a legitimate need justification.
> processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Legitimate interest doesn't let you gather everything and keep it forever, but standard practice log rotation seems like it's compliant.
The proper way to deal with this is to rotate out the logs after a finite amount of time (you are doing that anyway, right?) and then to delete the logs after yet another period of time, once they have outlived their useful life. That's good practice anyway so I really don't see the problem.
Looking for malicious traffic is not a loophole that allows you to keep data indefinitely - even if nobody asks you to remove it - you don't need to keep it indefinitely.
But likely based on incorrect advice.
You haven't said why you think your company isn't compliant with GDPR, and it's possible your company is compliant with GDPR, or would require only minor tweaks to privacy policies to make it compliant.