Skip to content
  • There are no suggestions because the search field is empty.

The Principle of Least Privilege

How to limit access to personal data in Huma to comply with GDPR and protect your employees

 

Table of Contents

 

 

 

What is the Principle of Least Privilege?

The Principle of Least Privilege means that each person should only have access to the information they actually need to do their job, nothing more. Applied to Huma, this means giving employees and administrators the most limited set of roles and permissions that still allows them to do their work effectively.

This is not just good practice, it is also a legal requirement under GDPR. Article 5.1(c) and (f) of the GDPR requires that personal data is adequate, relevant and limited to what is necessary, and that it is protected against unauthorised access.

 

🔗 Read more about GDPR.

🔗 Read more about GDPR Article 5 - Principles relating to processing of personal data.

🔗 Read more about the Principle of Least Privilege on Wikipedia. 

🔗 A legal deep dive is also available in Norwegian at Lovdata, in Lov om behandling av personopplysninger.

 

 

How to apply it in Huma

Huma's role and permission system is designed to support the Principle of Least Privilege. Here are the most important things to keep in mind:

  1. Use system roles sparingly
    System roles give broad access across the entire organisation. Only grant system roles to people who genuinely need organisation-wide access, for example HR administrators or payroll managers.

  2. Use user roles for targeted access
    User roles let you grant access to specific groups — for example giving a team leader access to their own team's absence or salary information. This is almost always preferable to a system role.

  3. Review access regularly
    People change roles, departments or responsibilities. Make it a habit to review who has access to what, especially for sensitive modules like Salary, Documents and Absence.

  4. Deactivate employees promptly
    When an employee leaves, deactivate their account as soon as possible to remove their access to Huma.

 

🔗 Read more about roles and permissions in Huma.

🔗 Read more about security and compliance at trust.humahr.com.

 

 

FAQ

Is there a legal requirement to limit access?

Yes. Under GDPR Article 5.1(c) and (f), organisations are required to ensure that personal data is only accessible to those who need it. Implementing the Principle of Least Privilege in Huma is one of the most effective ways to comply with this requirement.

 

Where can I read more about our legal obligations in Norway?

You can find a legal deep dive in Norwegian at Lovdata: Lov om behandling av personopplysninger, Article 5.