GDPR: The five essentials of data access control

Organisations now have under a year to prepare for the introduction of the general data protection regulations. One action that needs to be prioritised is establishing clear and secure user access to any data that the organisation holds.

Ask the questions:

·         What data do we collect and keep?

·         Why do we need this data (do we really need it)?

·         Is the data being used beyond its original intent? If so, why and can we stop it?

·         Who has access to this data?

To comply with GDPR, organisations will need to have strict data access control and a full awareness of what data they hold, why they are holding it and what permissions they have to use it.

GDPR gives individuals more control of their data and organisations must be prepared to deal with access and deletion requests from May 2018.

So, what do organisations need to do to be ready in time?

1. Look at how you work with data now

How is data collected and shared? You may store customer information in a database, but can that data be downloaded into Excel or csv files? Can it then be copied from a person’s desktop and taken home on a USB stick? Maybe the spreadsheet’s uploaded to Google Drive where people from various departments can access and analyse the data for their own projects.

This doesn’t have to be customer data. It could be employee’s emergency contacts. It doesn’t need to be information stored on a spreadsheet; it could be that file of old CVs you have from interviews stretching back over the past decade. Do you know who uses that information? Do you know why they use it, or what permissions that data has attached to it?

Take these months before GDPR comes into force to carry out an assessment. What data do you have? Why do you have it? Can any of it be deleted?

Under GDPR, organisations will need to become more efficient and secure in their data processing. There will need to be clear evidence of permission for not just the initial data collection, but for each different application of the data. Data needs to be stored in a way that makes it easy to remove an individual’s information, if requested.

2. Introduce software designed around privacy

Any system or process implemented must include “privacy by design”.

While it may be convenient and insightful to share data between teams and departments, the privacy and protection of personal data is paramount. GDPR demands that any data held on EU citizens or within the EU must be secure, and that permission has been sought and attained when using that data for anything beyond the initial agreement.

This doesn’t have to mean that everyday operations need to grind to a halt as people struggle to acquire and store the appropriate permissions. Instead, organisations will start to use software designed with data protection in mind.

3. Store data with the “Right to be Forgotten” in mind

The Right to be Forgotten is a key part of GDPR and sets out the rights of any EU citizen to ask organisations to delete any and all of their data. While the deletion request won’t be granted in all cases, every organisation needs to be aware of this right. Every organisation must have processes in place to deal with requests in a timely manner.

How can data be stored in a way that makes it easy to identify and separate an individual’s data? Can data be quickly and easily deleted without compromising other data?

Use the time before GDPR comes into force to assess the impact that the Right to be Forgotten will have on regular business practices. How will the organisation track a person’s history with them if data can be deleted?

4. Look at how you manage permissions

Many organisations put personal data to use in a variety of ways. Sign-up to an online supermarket and you’ll inevitably start receiving marketing materials as well as your weekly food delivery. But do these organisations get permission from people every time they use their data? Maybe that person wants to be a customer, but they don’t want their product purchase history assessed and analysed.

GDPR requires organisations to gain explicit permission for any personal data use beyond the original intended purpose.

What permissions do you have for the data you currently hold? What changes will the organisation need to make to make consent a priority?

5. Prepare for a crisis

72 hours. That’s how long organisations will have to notify the relevant authorities once a data breach occurs (if that data breach impacts “the rights and freedoms of individuals”). Fail to notify authorities of a breach and the organisation could be fined up to 20 million Euros or 4% of global turnover.

Organisations have to start planning their responses now. These processes have to be in place by the time GDPR comes into force.

While organisations will have to change many of their data management, collection and access practices before May 2018, these new rules will create a more efficient data management system in the long-term. 

By Dharmendra Patel, Head of strategy and Finance, Pushfor.


European Data Protection Summit will take place on June 3rd in Central London and will play host to 800 DPO’s, Security Professionals and senior business decision makers looking for; information, updates, clarity, advice and solutions. For more information, visit the website.