- log management
- regulatory compliance
Log management and GDPR, how are they related?
When the “ADS Provision” (27 November 2008, published in the Official Gazette n. 300 of 24 December 2008) was issued a few years ago, there was little consensus because it was considered of little use. The request of the provision was only to track the login, logout, and login attempts of only ADS on all computer systems.
With the introduction of the GDPR, however, the usefulness of access tracking is no longer a secondary issue. On the contrary, it becomes essential to comply with the requirements of the legislation on the processing of personal data.
Why does log management become important within the GDPR?
When the GDPR Regulation was imminent and the need to comply with the regulations exploded, in an attempt to follow the trend, many log management products that had been forgotten were resurrected. Many of these, of course, did not stem from privacy and therefore were not very effective in managing the GDPR compliance.
The GDPR imposes a fundamental principle: accountability. That is, those who process personal data must demonstrate that, in case of suspected violations, all possible protective actions have been taken. For this reason, organizations that want to be GDPR compliant are forced to review their way of dealing with log management as well.
In this accountability framework (Art. 5, para. 2 of the GDPR), the adoption of a log management tool represents an important tool, useful for demonstrating the commitment of the data controller to the protection of their archives and computer systems. Precisely because the principle itself pushes for the reporting of activities, data controllers must have such tools to demonstrate that they have done everything possible to protect data in case of violations.
What are the other principles of Art. 5?
Art. 5 of the GDPR also lists other general principles that are linked to log management activities:
- Transparency: data subjects, in this case workers, must be informed in advance and adequately informed about the processing activities that take place on their personal data. To comply with this requirement, it will be necessary to prepare and make available to data subjects an information notice that has the content provided for in Art. 13 of the GDPR.
- Purpose limitation: the processing of personal data must have legitimate purposes, such as ensuring information security, but not monitoring work activities.
- Data minimization: it is legitimate to collect only the information strictly necessary to achieve the purposes.
- Storage limitation: data must be stored only for a period necessary to achieve the purposes. In general, the storage times of log files must therefore be related to the activities carried out and the objective characteristics of the organization. For logs related to system administrator activities, an indication of minimum times was given by the ADS Provision of the Privacy Guarantor in 2008, which provides for the retention of logs for a period which cannot be shorter than 6 months.
- Integrity and confidentiality: the log management system must offer guarantees of accuracy, integrity, and immutability of the log. At the same time, it is essential that access to log records is only allowed to specifically identified individuals and that such access is tracked, protected by unique credentials, and justified by security needs of the systems.
Article 58 of the GDPR establishes that the supervisory authority has both the power to impose a limitation, including a definitive one, on the processing in violation up to a total prohibition of the processing, and the power to impose an administrative fine. Article 83 then sets the criteria for determining the amount of such a fine, setting a maximum cap of € 20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, in the case of companies.
However, a violation of the GDPR can also lead to criminal liability. The already existing Privacy Code provides for criminal sanctions under Articles 167 (unlawful data processing), 168 (false statements to the supervisory authority) and 169 (non-compliance with supervisory authority measures). Of these offenses, the material author, such as the employee in charge of processing, will undoubtedly be held responsible, but this does not exclude the possibility of extending criminal liability to the data controller.
It is important to remember, therefore, that equipping oneself with adequate log file recording systems is essential for companies, not only to comply with the GDPR but also to improve the security of all company systems and effectively monitor users.
Do you want more information about log management software? Contact us by filling out the form!