+49 69 2731 14122

hello@squarum.com

Squarum-Logo
Squarum
Watch Demo
Login
Get Started for Free

EU Regulation · Effective May 25, 2018

Do I Need User Access Review for GDPR?

The General Data Protection Regulation doesn’t say “User Access Review” in plain text — but our reading of the regulation makes the answer unmistakably clear.

Yes — GDPR requires it

OUR INTERPRETATION

Why GDPR mandates User Access Review?

GDPR is built on a principle of “data minimisation” and “least privilege” — only the right people should access personal data, only for as long as they need to. This isn’t just guidance; it’s embedded in multiple legally binding articles. Without regularly reviewing who has access to systems containing personal data, you cannot demonstrate compliance.

Article 5(1)(c)

Data Minimisation

Personal data shall be “adequate, relevant and limited to what is necessary” — this directly governs who may access it. If you’ve never reviewed whether users still need their access, you cannot claim minimisation.

Article 5(1)(f)

Integrity & Confidentiality

Data must be processed “in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing.” Unreviewed accounts are a direct threat to this principle.

Article 25(2)

Data Protection by Default

Controllers must ensure that “by default, only personal data which are necessary for each specific purpose are processed” — including ensuring access is limited to those who genuinely need it.

Article 32(1)(b)

Security of Processing

Requires “the ability to ensure the ongoing confidentiality, integrity, availability and resilience” — which demands active governance of who holds access rights at any given time.

Directly from the GDPR Text

The following passages are cited from the official GDPR regulation (Regulation (EU) 2016/679)

gdpr-info.eu · Official GDPR Text · Art. 5 & Art. 25 & Art. 32

Article 5(1)(c) — Data Minimisation

“Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”

Article 25(2) — Data Protection by Default

“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”

Article 32(1)(b) — Security of Processing

“Taking into account the state of the art… the controller and processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: the ongoing confidentiality, integrity, availability and resilience of processing systems and services.

Where to find this in the regulation?

→ Official GDPR text — gdpr-info.eu → Chapter II → Article 5 (Principles)

→ Official GDPR text — gdpr-info.eu → Chapter IV → Article 25 (Privacy by Design)

→ Official GDPR text — gdpr-info.eu → Chapter IV → Article 32 (Security of Processing)

→ Recitals 39, 78, and 83 — provide interpretive context for access limitations

→ EDPB Guidelines 4/2019 — on Article 25 (Data Protection by Design and Default)

Squarum's Interpretation

What this means in practice?

Regular access reviews are not optional

Article 5(1)(f) combined with the accountability principle (Art. 5(2)) means you must be able to demonstrate — at any point — that only necessary people have access to personal data. You cannot demonstrate this without periodic reviews.

Former employees and role changes trigger immediate review

GDPR’s “data protection by default” (Art. 25(2)) means access must be revoked when no longer needed. Leavers and movers must trigger a formal review and deprovisioning process.

You must be able to prove it to the DPA

Under the accountability principle (Art. 5(2)), the controller must be able to demonstrate compliance. Access review logs, timestamps, and decisions are the evidence regulators will expect to see in an investigation.

Privilege creep is a GDPR violation

When users accumulate access over time that they no longer need, this violates the minimisation and “by default” access principles. User Access Review is the primary mechanism to catch and remediate this creep.

€20M

Maximum fine

or

4%

of global annual turnover

GDPR violations carry some of the heaviest data protection fines in the world. Inadequate access controls have been a contributing factor in multiple high-profile enforcement actions across the EU.

Let Squarum automate your GDPR access reviews

Stop relying on spreadsheets. Squarum gives you scheduled reviews, automated evidence collection, and a full audit trail — built for GDPR compliance.

Sign up for free