There are requirements for data protection and privacy in many countries. Read Access Logging (RAL) is a mechanism usually required when authorizations are not sufficient to address the need for data protection and privacy, or when highly sensitive information is accessed.
Configuring logging consistently across many applications is costly and time consuming. Therefore, a technology providing a standard solution is desirable. At present, logging is addressed only in specific applications. The more applications support logging with local solutions, the worse total cost of ownership would be.
Logs are personal information on their own (in case personal information is viewed, this can be data of two or even more persons), and require purpose, authorizations, deletion, etc. like any other data. Some regulations even require encryption.
Logging shall be done where data is disclosed to a user or a third party. This implies that the data that is replicated between different systems of the same controller does not need to be logged. Even a report that is run and produces some output does not need to be logged, but when that output is then printed or viewed, logging shall take place. This may cause necessity for producing metadata when running the report for later use during printing or viewing, at least when highly sensitive information is processed. A challenge can be replication to systems or frontends that do not have adequate logging mechanisms in place or where these mechanisms can be easily bypassed. In that case logging likely has to take place at the time the replication takes place.
Capturing data about access is not sufficient, there must be tools to evaluate logs and to delete or archive logs. Logging shall be possible for all user interfaces (UIs), all downloads, and all interfaces or at least those that can be used for external communication. Some regulations require attempts for access to be logged as well.