BPS GDPR Compliance

Home Forums BulletProof Security Pro BPS GDPR Compliance

Tagged: 

This topic contains 0 replies, has 1 voice, and was last updated by  AITpro Admin 2 weeks, 3 days ago.

Viewing 1 post (of 1 total)
  • Author
    Posts
  • #35734

    AITpro Admin
    Keymaster

    The BPS and BPS Pro WordPress plugins have a feature called “Security Log”.  The BPS Security Log logs these HTTP Status Code errors: 400, 403, 404, 405, 410 and 503 errors to a plain text file, which contain a website visitor’s IP address in the Security Log entry.  BPS and BPS Pro do not save IP addresses in the WordPress Database.  The GDPR considers IP addresses as Personal Data.  The majority of Security Log entries are going to be logged for blocked hackers and spammers (99%), but a minority of Security Log entries could be logged for a normal website visitor if something legitimate is being blocked by BPS in another plugin or theme (1%) and an error log entry is written to the Security Log file.  BPS does not log all visitors to a website and only logs errors (400, 403, 404, 405, 410 and 503 errors).

    Several BPS features write to the Security Log text file.  Login Security & Monitoring, JTC Anti-Spam|Anti-Hacker, Plugin Firewall, Maintenance Mode and the 400, 403, 404, 405 & 410 template logging files.  Plugin Firewall AutoPilot Mode uses the Security Log data to automatically create Plugin Firewall whitelist rules.

    The general idea of the GDPR appears to be to prevent abuse of processing user’s personal data.  “processing” seems to mean something similar to “data mining” with the intention of profiling individuals in order to either sell or resell their personal data or reuse their personal data in some unscrupulous way or to target individuals for sales or other nefarious or unscrupulous reasons.

    What constitutes data processing?
    #################################

    Answer
    Processing covers a wide range of operations performed on personal data, including by manual or automated means. It includes the collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data.

    The General Data Protection Regulation (GDPR) applies to the processing of personal data wholly or partly by automated means as well as to non-automated processing, if it is part of a structured filing system.

    Examples of processing
    staff management and payroll administration;
    access to/consultation of a contacts database containing personal data;
    sending promotional emails*;
    shredding documents containing personal data;
    posting/putting a photo of a person on a website;
    storing IP addresses or MAC addresses;
    video recording (CCTV).
    *Please remember that to send direct marketing emails, you also have to comply with the marketing rules set out in the ePrivacy Directive.

    References
    Article 4(2) and(6) of the GDPR

    GDPR EU Reference Links:

    Information Commissioner’s Office (ICO) website:
    https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr

    European Commission website:
    https://ec.europa.eu/info/law/law-topic/data-protection_en

    EU GDPR Compliant website:
    https://eugdprcompliant.com/

    General Data Protection Regulation (GDPR) (EU) Wiki Page:
    https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

    So what does all of this GDPR stuff mean in relation to the BPS and BPS Pro plugins and what are your options?
    Since the BPS and BPS Pro Security Log text files are used by the BPS and BPS Pro plugins to perform some internal automated plugin tasks and is also used by Users for troubleshooting and is not used for any other sort of nefarious or unscrupulous data processing then logically your legal responsibility would be to not use the Security Log personal data for any reason other than what it is intended for and probably do not distribute BPS Security Log text files to anyone else.  If you are still worried that logging visitor’s IP address in the Security Log plain text file will get you in trouble then you can turn off/disable BPS and BPS Pro Security Logging.  WARNING!!!  Disabling/turning Off the BPS free Security Log means you will no longer be able to troubleshoot any problems.  CRITICAL WARNING!!!  Disabling/turning Off the BPS Pro Security Log means you will no longer be able to troubleshoot any problems and you will need to manually create Plugin Firewall whitelist rules.

    Your Data Breach Responsibility
    Since the Security Log is a plain text file and not data that is saved in your WordPress Database then the Security Log text file:  /wp-content/bps-backup/logs/http_error_log.txt can only accessed by someone who has your FTP login information or your web host control panel login info.  The likelihood of someone actually stealing and using the Security Log text file personal data (IP Addresses) for some malicious or nefarious or unscrupulous reason is pretty much NULL.

    New BPS Security Log option planned:
    A new BPS Security Log plugin option will be added in the next BPS plugin release that will allow someone to choose not to log IP addresses in the Security Log file.  That will allow someone to continue to use the Security Log feature without worrying about GDPR legal liabilities or responsibilities.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.