BPS GDPR Compliance

Home Forums BulletProof Security Pro BPS GDPR Compliance

Tagged: 

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #35734
    AITpro Admin
    Keymaster

    UPDATE: 6-15-2018:
    BPS free 3.1 and BPS Pro 13.6 have new Setup Wizard Option to make BPS GDPR Compliant.  A new Dismiss Notice has been created to inform folks of this new GDPR Compliance Setup Wizard Option.

    BPS Pro 13.6+:
    New Setup Wizard Options setting: GDPR Compliance: Allows someone to turn IP address logging On or Off throughout all BPS Pro plugin features by choosing the GDPR Compliance On option setting on the Setup Wizard Options page: BPS Pro Features affected: Security Logging, Login Security Logging, JTC Anti-Spam|Anti-Hacker Logging and Maintenance Mode Logging. Note: For simplicity and ease of use there is only one option setting that needs to be set instead of creating individual option settings in all BPS Pro features that perform IP address logging.

    BPS Free 3.1+:
    New Setup Wizard Options setting:  GDPR Compliance:  Allows someone to turn IP address logging On or Off throughout all BPS plugin features by choosing the GDPR Compliance On option setting on the Setup Wizard Options page:  BPS Features affected:  Security Logging, Login Security Logging, and Maintenance Mode Logging.  Note:  For simplicity and ease of use there is only one option setting that needs to be set instead of creating individual option settings in all BPS features that perform IP address logging.

    ===================================================================

    The BPS and BPS Pro WordPress plugins have a feature called “Security Log”.  The BPS Security Log logs these HTTP Status Code errors: 400, 403, 404, 405, 410 and 503 errors to a plain text file, which contain a website visitor’s IP address in the Security Log entry.  BPS and BPS Pro do not save IP addresses in the WordPress Database.  The GDPR considers IP addresses as Personal Data.  The majority of Security Log entries are going to be logged for blocked hackers and spammers (99%), but a minority of Security Log entries could be logged for a normal website visitor if something legitimate is being blocked by BPS in another plugin or theme (1%) and an error log entry is written to the Security Log file.  BPS does not log all visitors to a website and only logs errors (400, 403, 404, 405, 410 and 503 errors).

    Several BPS features write to the Security Log text file.  Login Security & Monitoring, JTC Anti-Spam|Anti-Hacker, Plugin Firewall, Maintenance Mode and the 400, 403, 404, 405 & 410 template logging files.  Plugin Firewall AutoPilot Mode uses the Security Log data to automatically create Plugin Firewall whitelist rules.

    The general idea of the GDPR appears to be to prevent abuse of processing user’s personal data.  “processing” seems to mean something similar to “data mining” with the intention of profiling individuals in order to either sell or resell their personal data or reuse their personal data in some unscrupulous way or to target individuals for sales or other nefarious or unscrupulous reasons.

    What constitutes data processing?
    #################################

    Answer
    Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

    The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.

    Examples of processing
    staff management and payroll administration;
    access to/consultation of a contacts database containing personal data;
    sending promotional emails*;
    shredding documents containing personal data;
    posting/putting a photo of a person on a website;
    storing IP addresses or MAC addresses;
    video recording (CCTV).
    *Please remember that to send direct marketing emails, you also have to comply with the marketing rules set out in the ePrivacy Directive.

    References
    Article 4(2) and(6) of the GDPR

    GDPR EU Reference Links:

    Information Commissioner’s Office (ICO) website:
    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

    European Commission website:
    https://ec.europa.eu/info/law/law-topic/data-protection_en

    EU GDPR Compliant website:
    https://eugdprcompliant.com/

    General Data Protection Regulation (GDPR) (EU) Wiki Page:
    https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

    So what does all of this GDPR stuff mean in relation to the BPS and BPS Pro plugins and what are your options?
    Since the BPS and BPS Pro Security Log text files are used by the BPS and BPS Pro plugins to perform some internal automated plugin tasks and is also used by Users for troubleshooting and is not used for any other sort of nefarious or unscrupulous data processing then logically your legal responsibility would be to not use the Security Log personal data for any reason other than what it is intended for and probably do not distribute BPS Security Log text files to anyone else.  If you are still worried that logging visitor’s IP address in the Security Log plain text file will get you in trouble then you can turn off/disable BPS and BPS Pro Security Logging.  WARNING!!!  Disabling/turning Off the BPS free Security Log means you will no longer be able to troubleshoot any problems.  CRITICAL WARNING!!!  Disabling/turning Off the BPS Pro Security Log means you will no longer be able to troubleshoot any problems and you will need to manually create Plugin Firewall whitelist rules.

    Your Data Breach Responsibility
    Since the Security Log is a plain text file and not data that is saved in your WordPress Database then the Security Log text file:  /wp-content/bps-backup/logs/http_error_log.txt can only accessed by someone who has your FTP login information or your web host control panel login info.  The likelihood of someone actually stealing and using the Security Log text file personal data (IP Addresses) for some malicious or nefarious or unscrupulous reason is pretty much NULL.

    New BPS Security Log option planned:
    A new BPS Security Log plugin option will be added in the next BPS plugin release that will allow someone to choose not to log IP addresses in the Security Log file.  That will allow someone to continue to use the Security Log feature without worrying about GDPR legal liabilities or responsibilities.

    #40240
    AITpro Admin
    Keymaster

    Since GDPR began back in 2018 I have received several GDPR Right of Access request (SAR) Phishing scam emails over the years, which were obvious attempts at stealing people’s personal/private data or more commonly known as Identity Theft.  I find it ironic that GDPR has created a treasure trove for identity thieves.  Since I do not store anyone’s personal/private data on any of my sites then responding to legitimate GDPR SAR requests costs me very little time and money.  All payment processing for purchases of the BPS Pro plugin is handled by PayPal.  I do not store any personal/private data about anyone else on any of my sites.

    If you receive a GDPR Right of Access request (SAR/DSAR) I recommend that you verify that the person making the request for personal/private data is legitimate and ONLY provide personal/private data “types” and not their actual personal/private data.

    Example:
    I have X personal/private data stored for you/your account. Where X is the “type” of data, but not the actual data itself. ie SSN/TAX ID, Phone #, Address, Email, IP address, Credit Card #, etc. Never provide the actual personal/private data itself since this is exactly what identity thieves want in order to steal someone’s identity or more commonly known as Identity Theft. Then have that person submit an official document to you authorizing you to delete their personal/private data. This will protect you from legal consequences since you will have official documentation that the person requested that you delete their personal/private data.

Viewing 2 posts - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.