How often should I perform access reviews?

The GDPR does not prescribe a specific frequency, but at least twice a year is a good guideline. For businesses with high staff turnover or external workers, quarterly is wiser.

What do I do if I find an old account that's still active?

Deactivate the account immediately. If it concerns a former employee, check whether that person accessed data in the meantime. Document your finding and the action taken.

Which tools should I check?

All tools where personal data is processed: CRM, accounting software, email tool, HR system, cloud storage, project management, and shared accounts for social media or analytics.

Periodic Access Review for Your Tools | GDPR Security

Who has access to which data in your business? If you don't check regularly, risks accumulate. This article explains how to set up a periodic access review.

Access you forget to revoke is a risk

It’s one of the most common security problems for SMEs: people who once received access to systems and still have it, even though they no longer need it. Last year’s intern who can still access your CRM. The freelancer who can still access your cloud storage. The former employee whose email account is still active.

Every unused access is a potential security risk and a GDPR issue.

Why periodic checks?

Access rights change continuously:

Employees leave - their accounts must be deactivated immediately
Roles change - someone moving from sales to marketing needs different access
External parties change - your old accountant no longer needs system access
Tools change - new software is added, old tools not always cleaned up
Rights accumulate - people gain rights but rarely lose them

How to conduct an access review

1. List your tools

Start with all systems and tools where personal data is processed. Prioritise the most sensitive:

HR and payroll system
Accounting software
CRM system
Email accounts
Cloud storage
Social media accounts
Analytics and advertising platforms

2. Check who has access per tool

Does this person still work here?
Does this person still need this access for their current role?
Is the access level correct (admin vs. regular user)?

3. Clean up

Deactivate accounts of departed employees and external parties
Downgrade rights where someone has too much access
Remove shared accounts and replace them with personal logins

4. Document

Record when you performed the review, what you found, and what actions you took. This is your evidence of active access management.

Make it a routine

Schedule your access review in your calendar, just like you periodically update your accounting. Twice a year is a good starting point. Link it to a fixed moment, for example at the end of each half-year or after every major personnel change.

auto_awesome Document your access management

GDPRWise helps you record which security measures you've taken, including your access policy and reviews.

Start your free scan

Periodically Check Access Controls for All Your Tools