We run a UK VPS hosting business (Hoping to expand soon into the dedicated server market). As some of you may be aware, new EU law came into force last month in the UK, stating that some IP information must be retained for 12 months. I have a few questions relating to this, and while I appreciate that you guys aren't lawyers, maybe you can shed some into what you're doing?
q1) We rent space from a colocation provider (As most hosting companies do). Do you reckon that we need to retain anything? Or is this the job of the colo provider (Who run their own AS network)
q2) What is it that we actually need to keep? Our router is able to log connections, (i.e. one log entry per "state") so we could easily log that out to a syslog server.
q3) The new law mentions things about storing information about emails. We don't provide email services, but of course some of our customers use their VPSes as email servers. Woud we still need to retain email header information (This would be a technical nightmare).
q4) The UK law mentions something along the lines of only need to follow the law if you've been asked by the government. Am I reading this right?
Phew! That's a lot of questions! Hopefully someone UK/EU based can shed some light
- your mail server logs (/var/log/maillog)
- IP-address assignments
- historical name/address information of your customers. (e.g. if they change their home address through your billing portal, you also need to retain the previous address).
Data retention only applies to providers offering PUBLIC services, so if you have VPS customers that installed their own mail server for their own private use, that is not your concern.