The new General Data Protection Regulation set some requirements to how you handle personal data from data subjects registered in your computer system. As an example, sensitive information should not be made available to personell that dont need access to it, and you also need to protect the information – and log what happens to it.
My reflection is that the use of AAA-methodology is a good guidance to how you can secure that the information only gets accessed by the right people. AAA stands for Authentication, Authorization, Accounting.
Authentication – Making sure that in order to access the system you, you authenticate yourself in order to prove you are a user with access. This can be done via traditional methods such as username and password, but it would be better to use two-factor or more authentication methods.
Authorization – Once logged in, the system can not allow anyone registered to access anything. Make sure to set appropriate access levels, so that personal data are not compromised.
Accounting – In order to pick up on mysterious usage, unauthorized users or to track potential incidents in the system, one should always do accounting – or logging as it also called. This ensures that all activity gets logged and can be checked for later verification that something illegal did or did not occur.