Skip to content

Chapter 2

Cyber risk management

Data retention and life cycle management will also have an impact from a cyber perspective.

Indeed, some so-called technical data that allow systems monitoring contain personal data. Therefore, they are subject to the GDPR.

In addition to that, the data controller, as the person responsible for the processed data, will be subject to legal obligations in terms of retention periods.

Cyber risk management

As mentioned above, some technical data allow the monitoring of systems such as access files which contain the list of connections to the systems.

This list contains connection log files which will be processed in order to analyse the information systems, identify alerts and their sources and implement a crisis management action plan.

The log files could contain all sorts of personal data including the user’s IP address.

Therefore, it is essential to know the retention period of these log files and to implement a data retention policy specific to cyber risk management applicable to the business and the company.

Retention period

The retention period for log files may be subject to sectoral legal and regulatory constraints. The data controller should read them to define the technical means necessary for archiving newspapers.

The CNIL considers that connection logs cannot be kept for more than 6 months unless other specific regulatory constraints apply.


The maximum retention period for logs according to law is of 1 year – with reference to the CPCE (Code des Postes et des Communications Electroniques) and to decree n° 2011-219 related to the conservation and communication of data allowing the identification of any person who contributed to the creation of content posted online.


It is recalled that each regulation or standard defines its own requirements.

For the purposes of the fighting against cyberthreats and within the framework of the legitimate interest, it is possible to justify longer retention periods: examples to respond to the analysis of persistent attacks (APT). It is then necessary to argue in the documentation of the treatment, under accountability. Support measures will be required (restricted and secure access to data, DPIA, etc.).

Finally, beyond the logs shelf life the question of how they are kept (intermediate archiving) should be asked. It is strongly recommended to include with the Data Retention Policies a chapter devoted to the management of data retention periods within cyber risk management.

Regulation

Organizations may also be subject to additional requirements related to their industry in terms of traceability and archiving, in particular when they carry out their activity in a regulated sector.

For example for payment purposes, the conservation of an audit trail is required for at least 1 year, with a minimum of 3 months of immediate accessibility according to section 10.7 of the Security Standard of the PCI DSS payment card industry.

In France, operators of vital importance (OVI) must keep for a period of at least 6 months the events recorded by the logging system of their information systems of vital importance (SVI). Sectoral decrees define the obligations for each operator family (“Audiovisual and information”, “Electronic Communications and Internet”, “Industry” and “Finance”).

Also in France, “The operators of essential OES services must keep” the events recorded by the logging system (…) for a period of at least 6 months “.

Finally, the National Gaming Authority (in France) must be able to access archived data for the online gaming sector. The archives must cover at least the last twelve months of the operator’s activity.

It is therefore strongly recommended to carry out an inventory of the applicable sectoral regulations for its information system.