Read also: France Travail: 43 million affected because employees had too much access
When the CNIL investigated the France Travail breach, they found something many businesses recognize without realizing it— access rights defined too broadly. CAP EMPLOI advisors, who acted as partners in supporting job seekers, had system access to all users' data. Not just those they actively supported—all of them. It wasn't a conscious decision. That's how the system was configured, and no one had gone back and checked.
GDPR Article 5 requires that personal data be processed by a limited number of individuals – only those who have a legitimate need. This is a specific obligation, and it applies internally: who in your organization has access to what?
Practical point: Take a look at the access rights in the three systems where you process the most sensitive information. Who has access, to what, and why? Does anyone have access they no longer need — because they changed roles, quit, or because it «has always been like this»?
Inspired by: CNIL