Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Denmark: Datatilsynet issues guide on managing data access rights

On December 7, 2023, the Danish data protection authority (Datatilsynet) announced that it had published guidance on managing access rights. In particular, the guidance discusses among other things, the concept of rights management, which is defined as managing access to an organization's IT systems and premises as well as the information individual users can access.

Who is responsible for rights management?

According to the guidance, rights management in an organization is a collective responsibility, encompassing various roles each with specific duties. The guidance notes that data processors and IT system operators should ensure IT systems are configured to uphold rights management policies. Whereas, data protection officers (DPOs) are responsible for monitoring and advising on personal data protection, to prevent unauthorized access.

Notably, the guide states that all employees, in an organization irrespective of their role in IT security, share the responsibility of being aware of their access rights and ensuring they align with their work requirements.

What measures can be taken to ensure effective rights management?

Further, the guide outlines technical and organizational measures that can be implemented to ensure responsible rights management. These measures include among other things:

  • multi-factor authentication (MFA);

  • logging user access to personal data; 

  • automatic access control;

  • minimizing privileged access rights; and

  • implementing role-based access rights.

According to the guide, a comprehensive understanding of an organization's IT environment is essential to implement appropriate rights management measures, whether internally or through an external supplier. The guide recommends that organizations should conduct a risk assessment of all rights management measures to identify and mitigate information security risks.

What are the consequences of poor rights management?

Notably, the guide provides the following examples of the potential consequences of ineffective rights management:

  • lack of access restriction;
  • ransomware;
  • errors due to a lack of IT skills;
  • abuse of superuser rights; and
  • failure to remove access during employee off-boarding.

You can read the press release here and the guide here, both only available in Danish.