Not to be rude but just to clarify, the raw IP logs were kept on a server facing the internet for 30 months!?
This is the field I work in and can guarantee that while I'm sure that was convenient, this is far from the norm and extremely insecure, unless you're in a few very select fields.
I'm 90% sure this is also a GDPR violation. I appreciate your services but this is sloppy.
We log only first access to report,
nothing else. We do not have any extensive logging policy
.
This is a single piece of information in regard to IPs that we save because we are daily dealing with issues:
1) clients claiming they never received reports
2) clients getting their emails deleted before they receive results and results sent to a non-existent email
3) report loading issues
And a couple more this helps to sort out.
With there being a dozen people dealing with customer support, oftentimes from home office, it has to be connected online somehow.
Regarding GDPR, it is not a violation, as per Article 6 (1)f the above are legitimate interest.
Regarding the need to store it for that long - indeed, it is not necessary and it is a bad choice.
We didn't have a policy on how long we keep each dataset until now.
Naturally, we're rethinking a whole lot of stuff.
