Old post, but still relevant regarding GDPR audit.
The problem with logging selections, and not logging the data that has been transferred, is that when you open an app, a user normally can see "all data", as no selections has been applied yet.
Qlik is not logging what the user looks up. Only attempts to filter the data.
And Qlik (as far as I can see) does not log which sheet the user is opening. So we have no way of deducting what the user might have seen, having no filters set.
One workaround may be to set an initial selection filter, that blocks most data from being loaded to the client. This can be a static selection, or at best based on the user name. Unfortunately I know of no way to set an initial filter based on a user's AD groups, or SAML attributes such as departments, roles etc. (One day, maybe.)