A record or set of records providing evidence of activities which impact (or may impact) a system, entity or process.
In an information security context, the term is employed to mean a record of system activities which enable the examination of security events.
The term is not often commonly used in legislation, but a carefully preserved system of documentation is often a requirement to demonstrate compliance in practice. The trail of filed information should allow an external auditor (for example, a supervisory authority) to re-trace the steps taken to protect personal data. For example, in the event of a breach of personal data, a trail of documents showing prompt remedial action and timely data breach notification of affected data subjects can be a mitigating factor when a regulator assesses a data controller’s responsibility for the lapse.
See also: ACCOUNTABILITY
Buchanan, S. and Gibb, F., 2008. The information audit: theory versus practice. International Journal of Information Management, 28(3), 150–60, https://doi.org/10.1016/j.ijinfomgt.2007.09.003.
Calder, A. 2020. EU GDPR – an international guide to compliance. Ely: IT Governance. Available from: www.itgovernancepublishing.co.uk/product/eu-gdpr-an-international-guide-to-compliance.
Buchanan, S. and Gibb, F., 2008. The information audit: theory versus practice. International Journal of Information Management, 28(3), 150–60, https://doi.org/10.1016/j.ijinfomgt.2007.09.003.
Calder, A. 2020. EU GDPR – an international guide to compliance. Ely: IT Governance. Available from: www.itgovernancepublishing.co.uk/product/eu-gdpr-an-international-guide-to-compliance.