Is it still allowed to have log files under the new GDPR? [closed]

The General Data Protection Regulation (GDPR) is for protecting privacy and giving the control over personal data back to citizens. It's not a list of things not to do, even though there's quite a mythology around it already. Currently working as a GDPR mythbuster (not official job title, unfortunately) I've already seen a lot of misunderstanding, misleading and honest uncertainty.

Selected quotations from Art. 5:

Personal data shall be:

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; - - (‘purpose limitation’);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

More important than what is collected that it is collected for legitimate purposes and only used for those. One reason to collect IP addresses in log files might be to comply with the integrity and confidentiality: if the purpose of the log files is to detect and prevent illegitimate use of personal data, then it may be for ensuring the privacy, not for violating it.

Just focus on documenting how and why this data is collected, processed and destroyed after it's not needed anymore. If you don't consider your purposes falls in Art. 6 lawful "necessary for compliance with a legal obligation" nor "necessary in order to protect the vital interests of the data subject or of another natural person", the given consent is always the most safe & clear case.


Because of [the GDPR] the gathering of IP addresses is not allowed

That simplification is patently incorrect.

The GDPR provides a legal framework for how personal data may be collected, stored and processed. IP-addresses are considered digital personal data governed by that legislation.

Article 6 point 1 provides 6 conditions that make it legal to process personal data (including IP-addresses) and it is already sufficient if only a single one of those is applicable for your purpose.

So it may well be that the IP addresses in your log files are not a violation.

(You may for instance have consent from your users to collect their IP addresses for a specific purpose.)

Since IP addresses are considered personal data, they have to be treated as such and relevant safeguards have to be taken to ensure their security.