Access to personal data

It is important that, as an organisation, you ensure that unauthorised persons do not gain access to the personal data that you process. You do this by blocking access to personal data. Whether this is necessary depends on the purpose for which you process personal data and the context within which you do this.

On this page

Implement an authorisation matrix

You have to implement an authorisation matrix even if the risk level is quite low. In this matrix, you record the access rights for all systems used by you. In doing so, you look at which information is necessary for which employees to do their job. This matrix must be sufficiently detailed, and you must keep the matrix up to date. In combination with the right authorisation measures, this will enable you to prevent unauthorised access.

Use multifactor authentication

It is recommended that you use multifactor authentication for all systems with access control. Also set multifactor authentication on (business) instant messaging services (such as WhatsApp) and mail applications.

Log access to systems

As an organisation, you must ensure appropriate security of the personal data that you process. And arrange the authorisations properly, i.e. determine and record which access rights your employees have. Logging is used for recording events in your systems. For example, who has performed which processing operations, such as viewing or adjusting personal data. It also includes attempts to gain unauthorised access.

By keeping logfiles and checking them or having them analysed on a regular basis, you can discover breaches of the security (sooner). After a security incident, you also can take more targeted measures to limit the damage and prevent damage in the future.

Logging is another form of personal data processing. A processing that may invade the privacy of your employees, because you can determine exactly what they did in your systems and when they did it. That is why you should carefully think about what exactly you want to log in advance.

You have to assess for all your processing operations whether logging is necessary. Check if:

  • the purpose of logging is proportionate to the invasion of the privacy (proportionality);
  • you cannot achieve the purpose in any other, less intrusive way (subsidiarity).

Whether checking logfiles and having them analysed on a regular basis is necessary for you depends on the estimates in your risk analysis.

When do you have to log access to systems?

The GDPR does not explicitly say that logging who has had access to personal data is mandatory. In most cases, though, it is a necessary security measure. There are some sectors, however, where logging access is mandatory. This concerns situations in which sensitive personal data or special categories of personal data are processed. Which is the case, for example, at financial institutions, in the healthcare sector, or at the (central) government.

Security of logging

Since logging is a form of personal data processing, you must properly secure this processing as well.

Tech blog post

In the tech blog post Factors in authentication we explore the concept 'authentication' (in Dutch). 
 

""