GDPR and Article 32: What It Actually Requires
The General Data Protection Regulation (Regulation (EU) 2016/679) has applied across the EU and EEA since 25 May 2018. For UK organisations, the UK GDPR — retained post-Brexit — applies equivalent requirements. While GDPR is often discussed in the context of cookie consent and privacy policies, its enforcement focus since 2020 has increasingly shifted to Article 32: the requirement for appropriate technical and organisational measures to ensure security commensurate with the risk.
Unlike prescriptive standards such as PCI DSS or HIPAA, GDPR does not specify exactly which controls to implement. Instead, Article 32(2) requires organisations to consider "the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk." This flexibility sounds reasonable — but in practice it means that when a Data Protection Authority investigates a breach, they make their own judgement about whether your access controls were appropriate for the risk level of the data you were processing.
Access control consistently appears in DPA enforcement decisions as either an explicit violation or as the enabling factor behind a data breach. The question organisations must be able to answer is not just "do we have an access control system?" but "can we demonstrate that access to personal data was limited to those who needed it, was reviewed regularly, and was removed when no longer required?"
The Four Articles That Govern Access Control Under GDPR
| Article | Relevance to access control |
|---|---|
| Art. 5(1)(f) | Principle of integrity and confidentiality: personal data must be processed with appropriate security, including protection against unauthorised access. Access control is the primary technical measure for this principle. |
| Art. 5(2) | Accountability principle: the controller is not only responsible for compliance but must be able to demonstrate it. This is the article that requires evidence — policies alone are insufficient. |
| Art. 25 | Data protection by design and by default: only personal data necessary for each specific purpose is processed by default. For access control, this means minimum necessary access — users should have access only to what their role requires. |
| Art. 32(1)(b) | Appropriate technical measures: ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems. Access controls are specifically referenced as a relevant measure in Recital 83. |
| Art. 33 | Breach notification: in the event of a personal data breach, the controller must notify the DPA within 72 hours and characterise the scope of compromised data — which requires knowing exactly who had access to what. |
Article 5(2) is the accountability trap
Many organisations have access control processes. Far fewer can demonstrate them. When a DPA investigates — whether following a breach report or a complaint — they do not accept verbal descriptions of how access is managed. They ask for records: who had access to this database on this date, when was that access granted, when was it last reviewed, and by whom. The inability to answer these questions quickly and accurately is itself an Article 5(2) violation, regardless of whether the underlying access was appropriate.
Why management and Data Protection Officers must prioritise this
GDPR fines for Article 32 violations are not theoretical. Between 2020 and 2024, European DPAs issued over €4 billion in total fines, with access control failures as a contributing factor in dozens of the largest cases. The maximum fine for an Article 32 violation is €10 million or 2% of global annual turnover — and for the Article 5 data protection principles it is €20 million or 4% of global turnover. Beyond fines, a DPA investigation is a public event: enforcement decisions are published, and the reputational consequences of being named in a DPA decision for inadequate access controls routinely cause far more commercial damage than the fine itself. DPOs who cannot demonstrate compliance under Article 5(2) are in a legally exposed position, particularly in jurisdictions that require DPO registration.
What DPAs examine when investigating Article 32
DPA investigations — whether following a mandatory breach report under Article 33 or a complaint — follow a consistent pattern when examining access control:
- Access matrix at time of breach: "Provide a list of all users with access to the affected system at the time of the incident." If you cannot produce this quickly, it suggests the access was not managed — which is itself a violation.
- Least privilege assessment: Did every user who had access actually need it? Do you have a business justification for each access grant? This tests Article 25 data minimisation by default.
- Periodic review evidence: "When was access last reviewed? Who conducted the review? What did they conclude about the appropriateness of access?" Without review records, the DPA infers that access was never formally assessed.
- Former employee access: A consistent finding in breach investigations is that the data exposure involved an account belonging to a former employee or contractor whose access was not removed on termination.
The Accountability Gap in Practice
Most organisations affected by GDPR enforcement actions had access control systems in place. The problem was not the absence of controls — it was the inability to demonstrate that the controls operated as intended. This is the accountability gap: the space between "we have a process" and "we can prove the process ran on this date, reviewed this access, and made this decision."
The gap manifests in three ways. First, access reviews happen but are not recorded in a way that produces per-record evidence — a quarterly email to managers produces no individual decision trail. Second, the process runs but does not cover all systems — a central HR system is reviewed, but the analytics platform with personal data is forgotten. Third, the records exist but are not retrievable quickly — when a DPA asks for evidence within a short investigation window, an organisation cannot locate the relevant records across email threads and shared drives.
DPA finding: No evidence of periodic access reviews (Art. 5(2) + Art. 32)
The organisation states it reviews access quarterly but cannot produce records showing who reviewed which accounts, when the review occurred, and what decisions were made on accounts that were no longer appropriate.
DPA finding: Excessive access — data minimisation by default not applied (Art. 25)
Users had admin-level access to personal data systems without documented justification. The principle of minimum necessary access was not applied by default — broader access was granted and never reviewed down.
DPA finding: Access justification not documented (Art. 5(2))
Access was granted but no business justification was recorded. When a DPA asks 'why did this person need access to this data?' the organisation cannot demonstrate that the question was ever asked.
How AllowNow Addresses GDPR Art. 32 and Art. 5
| Article | AllowNow evidence |
|---|---|
| Art. 5(1)(f) | Complete access inventory per service and user — shows exactly who had access to what personal data systems at any point in time. Exportable for DPA investigations within minutes. |
| Art. 5(2) | Every access event — grant, review, revocation, implementation — is timestamped and attributed to a named individual. The accountability chain is continuous and unbroken. |
| Art. 25 | Access level distribution is visible and tracked. Admin access is identified and flagged. The notes field captures access justification — 'why does this person need this access?' — creating data minimisation evidence. |
| Art. 32 | GDPR report highlights admin access percentage, missing justification notes, stale reviews, and unreviewed access — the exact Article 32 evidence DPAs request when assessing whether technical measures were appropriate. |
| Art. 33 | Breach scope identification: in a breach scenario, AllowNow instantly shows who had access to affected services — the data needed for the 72-hour breach notification to the DPA. |
The AllowNow GDPR Article 32 Report is structured around the evidence DPAs request during investigations. The observations section surfaces admin access as a proportion of total access (Article 25 data minimisation), missing justification notes, accounts not reviewed within the periodic window, and gaps in the accountability chain. It produces the Article 5(2) demonstration that GDPR requires — not a policy document, but a record of controls that operated.
Built for small organisations that need to demonstrate GDPR accountability
AllowNow is designed for small controllers and processors — typically teams of 5 to 100 people — that process personal data and need to close the Article 5(2) accountability gap without a full-time DPO or compliance programme. If your organisation needs to demonstrate that access to personal data is controlled, reviewed, and documented — whether for a DPA investigation, a customer due diligence request, or an internal audit — AllowNow provides the evidence quickly and without enterprise complexity.
For privacy teams, the most valuable feature is speed. When an Article 33 breach notification is due within 72 hours, AllowNow produces the complete access inventory for affected systems instantly. When a DPA investigation requests access control evidence, the report is generated in seconds — not assembled over days from fragmented records. Accountability under GDPR means being able to demonstrate compliance on demand. AllowNow makes that possible.