GDPR: Manage access permissions
One of the key guiding principles of Data Protection legislation is that personal information should only be shared on a ‘need-to-know’ basis. Individuals who don’t need to know specific details about a person in order to do their job or to complete a task, shouldn’t be given access to those details.
Different levels of access
Appropriate sharing of personal data can be managed by allowing different levels of access. In Engage software, there are several user types which come with different access permissions. Line managers can only access records of their direct reports, for example, whereas department managers have access to the entire department. Only administrators can amend employee details and coordinators can receive notifications, but don’t have any online access.
An important element is effective leaver management. When a manager or an employee leaves the company, it is important that access to all systems is revoked. In the case of Engage, this means re-assigning direct reports to their new manager in order to remove the leaver. Simply removing the user’s email address will also immediately stop their access.
Ongoing access permission audits
Configuring access levels and updating leavers’ details is simple enough but in a large organisation it may not be so straight forward to keep this under control. To help employers ensure they’re compliant with Data Protection legislation, we now offer company administrators a new report called “User Permissions” report.
This lists all active employees in the selected company or department and shows their active access level. Using the User Permissions report, HR or senior management teams can easily get an overview of the existing users and take action if the access permissions need to be revised.