+44 (0) 121 582 0192 [email protected]

GDPR & Access Controls: Which one is right for you?

When it comes to GDPR and access controls, companies often fumble by inadvertently allowing inappropriate access to data.

GDPR requires organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Article 32). This includes incorporating access control measures.

This article discusses:

  • Why access controls matter
  • Role-based access controls (RBAC)
  • Principle of Least Privilege (POLP)

Why access controls matter

It is tempting to give endpoint users administration access to their devices to avoid any complications during the workday.  However, this introduces considerable risk to your network because it increases the opportunity for users to compromise personal data.

When you consider that 74% of data breaches happen because of privileged credential abuse, the importance of access control becomes clear.

Deciding who and what has access to certain information and resources is known as access controls. Appropriate access controls are essential to ensuring GDPR compliance.

There are five types of access control methods:

  1. Mandatory Access Control (MAC)
  2. Discretionary Access Control (DAC)
  3. Rule Based Access Control (RB-RBAC)
  4. Role-Based Access Control (RBAC)
  5. Principle of Least Privilege (POLP)

RBAC and POLP are the most appropriate access controls to implement under GDPR. We break down what these are and how to implement them below.

Role-Based Access Control (RBAC)

Role-Based Access Control provides access to personal data based on employees’ roles when processing data. This means that access permissions are linked to particular positions within the organisation, rather than specific people.

For example, HR associate Jane will have access to salary data. When Jane moves to the Marketing Department, she will no longer have access to salary data, but will now have access to marketing lists, because she needs access to the marketing lists to do her job.

This is a popular model for access control because of its flexibility and ease of use. Because permissions are assigned to roles instead of individuals, IT departments can react quickly to organisational changes.

However, there are several drawbacks to RBAC:

  • RBAC can further complicate permission administration for the IT department because the number of roles grows as organisations grow.
  • RBAC does not account for differences in roles and day to day to realities. For instance, a marketing team may have two brand coordinators, but only one of them needs access to the marketing list to do their job.

Principle of Least Privilege (POLP)

The Principle of Least Privilege (POLP) is, by definition, synergistic with GDPR.  POLP limits the access rights of users to the bare minimum needed to do their jobs (principle of data minimisation This lays the groundwork for privacy by design security and infrastructure.

POLP has several benefits including:

  • Avoiding malware propagation
  • Limiting entrances for malicious actors
  • Improving data classification
  • Complying with global regulatory requirements

POLP is trickier to implement than RBAC. POLP usually requires a privileged access management solution instead of relying on the IT department for all access control management.

Final Thoughts

No access control model is perfect. However, we recommend the Principal of Least Privilege because it best reflects the principles of GDPR.

To learn more about Formiti’s global data regulation services, email [email protected] or call us on +44 (0) 121 582 0192.

WordPress Cookie Plugin by Real Cookie Banner