All posts
October 14, 20251 min read

Who Accessed What and When: GDPR’s Non-Negotiable Logging Requirement

A database query ran at 02:14. A file download happened eight seconds later. You need to know who did it, what they touched, and when it happened. Under GDPR, that’s not optional—it’s required. The regulation makes it clear: organizations must track and document access to personal data. “Who accessed what and when” is not a vague slogan. It is a precise requirement for audit trails, breach analysis, and compliance reporting. If you store or process data on EU residents, you must be able to answ

Free White Paper

Non-Human Identity Management + K8s Audit Logging: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

A database query ran at 02:14. A file download happened eight seconds later. You need to know who did it, what they touched, and when it happened. Under GDPR, that’s not optional—it’s required.

The regulation makes it clear: organizations must track and document access to personal data. “Who accessed what and when” is not a vague slogan. It is a precise requirement for audit trails, breach analysis, and compliance reporting. If you store or process data on EU residents, you must be able to answer these three questions instantly and accurately.

Who accessed: Every interaction with personal data must be tied to a verified identity. This means logging authenticated usernames, service accounts, and even API keys. Anonymized logs fail compliance—they must be traceable to a real actor, human or machine.

What accessed: It’s not enough to record “user X viewed a record.” You must capture the specific data fields, files, or database tables accessed. The detail matters. GDPR sets the bar high: full visibility into what categories of personal data are touched.

When accessed: Precise timestamps in UTC with millisecond resolution are best practice. They allow alignment across systems and make forensic analysis possible. Missing or vague time data makes an audit trail useless and risks violations.

Continue reading? Get the full guide.

Non-Human Identity Management + K8s Audit Logging: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

To implement this, build centralized logging pipelines that pull events from application layers, databases, APIs, and storage services. Enforce consistent schemas for log entries: actor ID, resource ID, operation type, and timestamp. Validate logs for completeness and integrity—tampered logs can be worse than missing ones because they hide incidents.

Automated monitoring should scan logs for unusual patterns: large exports at off-hours, repeated access to sensitive fields, or spikes from service accounts. GDPR expects organizations to detect and respond, not just store logs in cold archives.

Retention policies matter. Store audit trails for as long as legally required and keep them secure. Encrypt at rest, restrict access to logs, and track access to those logs—yes, “who accessed the access records” is part of the chain.

The cost of failure is high: fines, legal exposure, and loss of trust. The cost of doing it right is knowing exactly how your data moves through your systems and proving it when asked.

You can spend months building this yourself, or you can see it live today. Try hoop.dev and get full “who accessed what and when” visibility in minutes.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts