What Logs Do You Need for GDPR Compliance?

GDPR doesn't have a single "you must log X" requirement — but Articles 5, 25, 30, and 32 together create a clear picture of what logging you need to demonstrate compliance. Get it wrong and you're not just non-compliant, you may be logging PII you shouldn't be.

The Two Logging Challenges Under GDPR

GDPR creates a double-edged problem for logging:

1. You must log — to demonstrate accountability, detect breaches, and respond to access requests
2. You must not over-log — logging PII unnecessarily violates data minimisation principles

This tension is why GDPR logging is tricky.

What You're Required to Log

Article 30 — Records of Processing Activities

You need to maintain a record of all data processing activities. For logging purposes, this means documenting:

• Who accesses personal data
• When they access it
• For what purpose
• From which system

This isn't necessarily in your server logs — but your server logs are evidence that supports this record.

Article 32 — Security of Processing

You must implement "appropriate technical measures" including "a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures."

In practice: you need logs that let you detect and investigate security incidents.

Article 33 — Breach Notification

You have 72 hours to notify your supervisory authority of a breach. Without logs, you can't:

• Confirm a breach occurred
• Determine what data was affected
• Establish a timeline
• Identify who was impacted

The Minimum Logging Requirements for GDPR

1. Authentication Events

Every login to systems that process personal data:
\