" Full IP addresses should only be stored for as long as needed to provide a service;
Logs should only include the first two octets of IPv4 addresses, or first three octets of IPv6 addresses;
Inbound IP address logs shouldn't last longer than three days;
Unnecessary identifiers should not be logged – these include source port number, timestamps, transport protocol numbers, and destination port numbers;"
I don't agree. The way the internet works means that ip addresses are a necessary use. Yes, IP addresses can be Personally Identifiable Information when combined with other data, or you are using a fixed IP at an individual address, but if you access my services I can't help but know your IP address. My logging is fine to record your entire IP address. It is what I then do with that information that is important.
Also, I am bound to provide suitable protection against any intrusion, or notify ICO if I suspect an intrusion. This aso means potentially sifting through logs to try and locate that source. Three days? That is just silly. 6 Months, sensible. 12? Maybe they have a point, unless regulatory requirements state otherwise.
This would come under legitimate interest. If you come to use my online services, then I have to store the above information to allow me to satisfy the requirements that come from operating online services in the EU. If I then decide to do something funky with that data, then that is another thing entirely.
I am wondering if INTAREA felt that they hadn't yet made any statement regarding GDPR and rolled out the first thing that sounded press friendly. They certainly are not showing a deep understanding of the issues involved.
"Logs should be protected against unauthorised access."
And remember, Kids, don't take sweets from Strangers...