IT security breaches are one of the biggest risks for companies. Studies such as the Verizon DBIR show: Around 80 percent of all data breaches are caused by compromised access data or misconfigurations in authorization management. At the same time, regulations such as the GDPR, ISO 27001 and IT baseline protection are tightening the requirements for the protection of personal data. Identity and access management (IAM) is far more than just a technical tool – it forms the central protective layer between sensitive company data and potential security risks.

In particular, the systematic classification of data according to its protection requirements makes it possible to not only formally fulfill GDPR requirements, but also to implement them in practice. In this article, we show how IAM systems interact with data protection classification, which specific GDPR articles are addressed and how companies can use automated processes to ensure their long-term compliance.

Although the General Data Protection Regulation does not place any explicit requirements on IAM systems, it does call for technical and organizational measures (TOMs) that can only be implemented through structured identity and access management. Three central articles of the GDPR are particularly relevant here:

Article 5 GDPR defines fundamental principles for the handling of personal data that have a direct impact on IAM strategies:

• Data minimization: IAM systems must ensure that users can only access the data that they actually need for their respective tasks. The principle of minimum rights (least privilege) is central here – excessive assignment of rights according to the “watering can principle” violates this principle.
• Storage limitation: Personal data may only be stored for as long as is necessary for the processing purpose. IAM systems play a dual role here: they must not only regulate access to old data, but also automatically delete their own log data (audit logs) after specified periods.
• Integrity and confidentiality: IAM is the technical foundation for guaranteeing these principles. Authentication mechanisms, role-based access control and continuous monitoring ensure that data is protected against unauthorized access, loss or damage.

Article 32 GDPR explicitly requires “appropriate technical and organizational measures” to ensure a level of protection appropriate to the risk. IAM systems fulfill this requirement on several levels:

• Access control: Access control is a security mechanism that controls and monitors access to data, applications and physical resources. It ensures the confidentiality, integrity and availability of information by only allowing access to authorized users. Key methods include identification/authentication, role-based access control (RBAC) and technical controls.
• Traceability through audit trails: IAM systems keep a complete record of who has assigned which authorizations and when. These audit trails are not only essential for adhering to compliance requirements, but also for investigating security incidents.
• Recertification of authorizations: Article 32 requires the regular review and updating of security measures. IAM solutions automate recertification processes in which data controllers must confirm at set intervals that employees still require their current authorizations.
• Automated rights management: Ghost accounts, i.e. orphaned user accounts of former employees, are one of the most common security vulnerabilities. In addition, authorizations can be provided with start and expiration dates so that temporary access for project employees, external service providers or temporary tasks expires automatically – without manual tracking.

In the event of data breaches, Article 33 GDPR requires notification to the supervisory authority within 72 hours. IAM systems support this requirement by:

• Forensic analysis and compliance documentation: In the event of a data breach, the detailed log data of an IAM system makes it possible to quickly reconstruct which identities have accessed which data and whether personal information has been affected. Thanks to the data protection classification stored in the system, all relevant information for the procedure directory in accordance with Article 30 GDPR can be read out at the touch of a button – making it much easier to fulfill documentation obligations.

The data protection classification forms the link between the abstract GDPR requirements and their practical implementation in IAM. It makes it possible to categorize data according to its protection requirements and implement differentiated access controls based on this.

What is data protection classification?

Data protection classification describes the systematic process in which data is divided into predefined categories based on its sensitivity, need for protection and compliance relevance. The following classifications are particularly relevant in the context of the GDPR:

• Non-personal data: Non-personal information that is not subject to any special protection requirements.
• General personal data: Information such as names, email addresses or telephone numbers that must be protected in accordance with the GDPR but do not belong to a special category.
• Special categories of personal data (Art. 9 GDPR): Highly sensitive data such as health information, genetic or biometric data, information on ethnic origin, political opinions, religious beliefs or sexual orientation. These data enjoy the highest level of protection and may only be processed under strict conditions.

Although the GDPR itself does not define any specific protection level concepts, German data protection authorities (e.g. Lower Saxony) and the Federal Office for Information Security (BSI) have developed models with graduated protection levels that can serve as a guide for companies.

Effective data protection classification is only fully effective in combination with a powerful IAM system. Here are the most important correlations:

Visual marking in the file system: Modern IAM solutions such as the BAYOOSOFT Access Manager mark classified folders directly in Explorer using special icons. Data controllers can see at a glance whether they are granting access to GDPR-relevant data or data that is particularly worthy of protection – this creates transparency and raises awareness for the handling of personal data.

Classification-based recertification: The classification of a folder as “personal” or “special category” automatically triggers stricter recertification intervals. For example, while normal business data is reviewed annually, highly sensitive health data may require quarterly recertification.

Pre-authorization for classified data: A pre-authorization mechanism takes effect for access permissions to classified data. All accounts can be authorized in principle, but only those accounts that are members of the corresponding AD group for pre-authorization are transferred to the target system. This makes it possible, for example, to map employee security checks when particularly sensitive information is involved.

Automated deletion periods: IAM systems determine how long audit logs and other log data may be stored. After the defined period has expired, these are automatically deleted – a direct contribution to fulfilling the storage limitation principle from Article 5 GDPR.

Encryption and anonymization: Highly sensitive data categories can automatically trigger additional protective measures such as encryption or pseudonymization. IAM systems coordinate the technical measures with the access control mechanisms.

The BAYOOSOFT Access Manager demonstrates the practical implementation of data protection classification in the IAM context:

• Classification icons: Folders with personal data are visually highlighted in Explorer so that everyone involved immediately recognizes that special care is required.
• GDPR-specific functions: A dedicated function for the automated deletion of audit data after specified deadlines directly addresses the storage limitation obligations of the GDPR.
• Classification-controlled processes: Based on the folder classification, authorization assignments are automatically documented, recertifications are triggered and cleanup processes for obsolete rights are initiated.