Organisational measures
Access control is an important security measure under GDPR
When a company processes personal data, it is rarely necessary for all employees within the company to have access to the personal data. Therefore, it is important that the company implements authorization management, to ensure the right people have access to them. This means that the company shall control employees’ access rights within the company’s various digital systems used for the processing of personal data.
The principle of access on a “need to know-basis”
Access on a “need to know-basis” is a principle according to which only those who need access to personal data within an organisation in order to carry out their work should have access to it. This may involve access to various documents and registers containing personal data. Or access rights to the entire system.
For example, an accounting system contains personal data about both the company’s staff and customers. Such as invoices, salary documentation, etc. It is often not necessary for all staff to have access to the accounting system, but instead it may be sufficient for a few people to have it. For example, the staff who work with finance and accounting within the company.
Difference between Authorization and Mandate
Authorization and mandate are two important concepts in law, but many people confuse them. These two concepts are central in the GDPR context, and deal with access to and management of personal data within a business. These relate in particular to the roles of employees, as well as what they can and may do with personal data.
Authorization
In short, this refers to the access an employee has to personal data. This therefore refers to which personal data the employee can technically access. Among other things, this concerns what system access the employee has, such as login information and user accounts to systems that process personal data. o A concrete example of when an employee has authorization to a system is the following: The employee is authorized to log in to the company's CRM system where personal data belonging to the customers is located, since the company's CEO has created a user account to the system for the employee.
Mandate
This is about what an employee is actually allowed to do with the personal data. That is, the policy or instruction that governs how the personal data may be processed by the employee. Including when and how the employee shall process the personal data. o An example of mandate is the following: The employee is authorized to view all customer personal data that occurs in the CRM system. However, the employer has given clear instructions that the employee is only allowed to process the personal data of the customers to whom the employee has sold the company's products. Thus, the employee does not have the mandate to process other customers' personal data, even if the employee has the authorization to see them in the system.
Examples of how a company can work with access control
First of all, it is important to analyze the need for different roles within the company. That is, find out which employees need access to which personal data, in order to perform their tasks.
According to the GDPR, companies must be able to demonstrate that they comply with the regulation, in accordance with the principle of accountability regulated in Article 5(2) of the GDPR. Therefore, it is good to always document the data protection work in writing. In addition, it can simplify the process for employees if there is clear documentation regarding who needs access to what personal data.
Be sure to control access rights and permissions for different user types, so that the right people have access to the right personal data. In addition, it can be useful to have different permission levels. For example, not all users of a system should be “Administrators”. In some cases, it is sufficient to give “reading access” and that a few have the right to “edit”.
Those who work with directing permissions within the company should receive written instructions on how to do so. It should also include information on what the different competences entail, in order to ensure the correct allocation of authorization and mandate. It is also important to have a procedure in place to revoke allocated access rights. For example, when an employee terminates his or her employment with the company.
More information about Organisational measures
Education for employees in GDPR and data protection in general
Companies should educate their staff in data protection, including GDPR. However, this does not necessarily mean that all employees should be familiar with every rule of the GDPR. If a company has several departments, it is good to educate the staff in each department about things that are relevant to their particular tasks. In addition, companies should offer further training to their data protection officer, if they have one. The reason why training is particularly important, is because in practice it is the employees who process personal data and if it is not done correctly, it is the company that is considered to be in breach of GDPR.