The organization implements role-based access control with predefined access roles for the various protected assets that entitle access to the associated asset. Strictness of the access roles should reflect the security risks associated with the asset.
The following should be considered to support access management:
The task of the Data Protection Officer (or other responsible person) is to monitor that the Data Protection Regulation and other data protection requirements are complied with in the organisation's operations.
In making her assessment, the responsible person shall take into account the risk associated with the processing operations and of the nature, extent, context and purposes of the processing of personal data.