Here’s the first thing you really need to know about the GDPR: demonstrate your compliance. You do this by documenting your reasonings for certain decisions, documenting your policies and other relevant documentation. And then there’s logging.
First of all, we need to define “logging” in this context. It has nothing to do with woods and chopping down trees but rather logging in the sense of keeping track of things. But why do we need to keep track of things, you may ask? The GDPR says that you shouldn’t have more data than you really need and store it for longer than you may (see the next blog M is for Minimalization of data). But whilst we need to minimize the data and the processing thereof, we must also prove that the data we process is done fairly, that the consent given was done so freely, etc. But how do you prove this? Well, that’s where logging comes in.
The CIA triad is a model designed to guide policies for information security within an organization. In other words, in order to have a good information security process in place you must have Confidentiality, Integrity and Availability.
Let me first explain in short what these concepts mean:
Confidentiality: The concept of the measures used to ensure the protection of the secrecy of data, objects or resources
Integrity: The concept of protection the reliability and correctness of data
Availability: Authorized subjects are granted timely and uninterrupted access to objects
It’s easy to see how the GDPR & the CIA Information security model go hand in hand. So, when we talk about your ability to demonstrate your GDPR compliance, logging becomes a key part of your burden of proof.
There are many things you could and should log. Here are a few examples:
Tracking access to data – who accessed what and when. This is important because if there’s a data breach or other infringement or incident, this is one way to look back and see who you need to talk to. Mind you, having a good access management policy and process in place is key! (integrity & confidentiality)
Tracking data modifications – one of the principles of GDPR and the CIA Triad, as mentioned above, is “integrity”. The data you keep must be correct. Any modifications should therefore be logged in case you need to see what the ‘old’ data said and for what reason it was changed and by whom. (integrity & confidentiality)
Logging GDPR-specific activities – Data subjects have rights and can exercise them by making requests to your organization. You are obligated to respond to these requests in a timely manner and must notify the data subject of your response to their request. It’s important that you can prove that you dealt with their request within the allowed timeframe. And even though it might sound odd, in the case you receive a request for deletion, you must log that you did so and save that log. In essence you’re still keeping some information. But then you have to, because you have to demonstrate your compliance with the GDPR too. (integrity & confidentiality)
Logging consent and the accompanying circumstances – date, time, IP address, etc. When you have a website and you’re asking people to agree to your terms and conditions, and separately (remember what I wrote in C is for Consent) you ask them to consent to your privacy statement, you must log their consent. Example: someone says: sure, I really want to receive your newsletter! But a year on doesn’t remember signing up for it and lodges a complaint with the data authorities, you’ll be glad to prove their consent. And if you can log their consent you can log their withdrawal too. (integrity & confidentiality)
Sign up for the 60 Day Privacy & Risk Challenge!