Mechanisms ensuring only authorised personnel can access personal data based on their role and business need.
Access control encompasses the policies, processes, and technologies that restrict access to personal data to only those individuals who need it for their specific job function. Under DPDPA, this is a core security safeguard. It includes: role-based access control (RBAC), principle of least privilege, multi-factor authentication for sensitive data access, access logging and monitoring, regular access reviews, and prompt de-provisioning when roles change or employment ends.
Most data breaches involve insider access or compromised credentials. Proper access controls ensure that even if one account is compromised, the attacker's access is limited. The Board evaluates access controls as a primary indicator of security safeguard adequacy.
A Bengaluru SaaS company implements: RBAC with 3 roles (DPO sees all, Analyst sees aggregates only, Viewer sees reports), MFA mandatory for database access, quarterly access reviews removing stale permissions, and automatic de-provisioning within 2 hours of employee offboarding.
Password-protecting your database is basic authentication, not access control. True access control means role-based restrictions, audit logging of every access, regular reviews, and enforcement of least privilege across all systems.
DPDPA Shield automates Compliance Dashboard. See how →