Based on functional groups within a company, it is determined who should have access to the processing of personal data.

Principles

Need-to-know

A person only needs access to the processing if the functional needs.

If someone does not have access or rights needed for the processing, accounts must be no access to this information.

Here, it is a combination of technical and organizational measures:

• Organizational: the principle of capturing access to data within the functional role that is assigned a user
• Organizational: determine who should have access
• Technological: access control enforcement in a technological way

Segregation of duty

This rule applies for sensitive functions that can have a significant impact on the company.

This is for instance the internal auditor should be a different person than the operational role. Otherwise it is not logical that a person must do research for themselves.

But given within the framework of anti-fraud mechanisms, for example, a four-eye applies where someone the role of creating the transaction and should have another person the role of approver.

More functional groups than staff?

Typically in small businesses is a consollidatie functions in one person. Conservation here definitely the difference in the approaches to the processing. It might be the same person who will exercise the access but the quality of the roll will determine why the person needs access to the information. For example, as internal auditor is normal in the context of an inquiry, which might as IT support person is required to look after certain things correctness or debugging.

Professional confidentiality?

You use the confidentiality clause in the contract to wiped your organization and its employees of their roles and responsibilities. And the confidentiality of all information processed.

Individuals

It may be that a person is not covered by a specific role, but nevertheless necessarily need access to the information. In this case, you can always assign specific individuals.

Note: this can be only natural person as a legal entity regards as a different party.