The principle: least privilege
The core of good access control is simple: give every person only the access they need for their work, nothing more. This is called the “least privilege” principle.
Your sales team needs customer data in the CRM, but not the personnel files. Your accountant needs financial records, but not the marketing contact list. Your office manager may need both, but doesn’t need admin rights on every system.
How to implement access control
1. Inventory who has access to what
Map per system who currently has access and what level (admin, editor, viewer). You’ll likely find that many people have more access than they need.
2. Define roles
Instead of granting rights per person, create roles: “Sales”, “Finance”, “HR”, “Management”. Each role gets access to the systems needed for that function.
3. Apply least privilege
Review each role and ask: does this role really need this access? Remove everything that’s not strictly necessary.
4. Use personal accounts
Every person gets their own account. No shared logins. This lets you trace who did what, and easily revoke access when someone leaves.
5. Enforce strong authentication
- Minimum 12-character passwords
- Unique per system (use a password manager)
- Two-factor authentication (2FA) on all systems with personal data
6. Block access on departure
Create a checklist for employee departures: deactivate all accounts on the same day. Don’t wait “until IT gets around to it”.
What to document
In your security documentation, record:
- Which roles exist and what access they have
- How access is granted and revoked
- When you last reviewed access rights
- How authentication is enforced (password policy, 2FA)
GDPRWise helps you document which security measures you've taken, including your access policy.