Skip to content
Step 1 /
flag Introduction

Access and systems

Your accounts are protected. In this module we zoom out to the access and the systems around them: who can see what, how you protect your login and your device, and why updates and encryption make the difference if something does go wrong.

target What you will learn in this module
  • check_circle The need-to-know principle and why access is tightly managed
  • check_circle Why you never share your login or your device, and why updates matter so much
  • check_circle What encryption means in plain language and when you use it
key Need-to-know

Access only for people who really need it

A central idea in the GDPR is that personal data is only accessible to people who need it for their work. No more, no less. That is called the Need-to-know Only employees who really need personal data for their task get access to it. That limits the risk of misuse and of a large breach when one account is compromised. In IT jargon you often hear the related term 'least privilege': that looks more broadly at what an account is allowed to do (read, modify, delete, manage). For personal data under the GDPR, both come down to the same thing: as little access and as few rights as possible, no more than needed. .

In practice that means:

  • Access follows the role, not the person. If someone’s role changes, the access changes with it.
  • Is a colleague leaving? Access is removed the same day. That is not distrust, it is hygiene.
  • Shared folders and mailboxes: managed deliberately, not given to “everyone” by default.
menu_book Read more in the knowledge base menu_bookAccess management for personal data

Access management does not have to be heavy. A simple overview of “who has access to what” and a fixed check on joining and leaving already goes a long way.

no_accounts Your login is yours

Never share your login, not even “quickly”

A login is not just any passport, it is your passport. Everything that happens under your account is in your name in the logs.

  • Do not hand over your password, not even to a colleague or manager who says it is urgent. Does someone need access? Then you request the right access for them, not your account.
  • Do not let anyone work under your session. An account is meant to be used by one person.
  • Lock your screen when you leave your workstation, even briefly for the printer or a coffee.
warning What if something goes wrong under your account?

If a mistake, a breach, or an irregularity happens under your login, it is recorded as your action. Nobody wants to explain that. So keep your login strictly personal.

system_update Updates

Updates strengthen your security

Software updates often feel like an interruption. In reality they close known security holes. The longer you wait, the bigger the risk that attackers exploit those holes.

  • Operating system and browser: turn on automatic updates on PC, laptop, phone, etc.
  • Apps and office software: let updates install, or do them right at the end of the working day.
  • Servers and business systems: usually a job for IT. Ask how your organisation manages it.
menu_book Not only updates menu_bookSecuring systems and software

Secure systems also mean: a working firewall, an up-to-date antivirus scanner, and no old software that is no longer supported. Read in the knowledge base how to approach this for your SME.

enhanced_encryption Encryption

Encryption in plain language

Encryption Scrambling data so that it is only readable to those who have the right key. On an encrypted hard drive the files are unreadable without a PIN or password. On an encrypted connection (HTTPS, a VPN) no one in between can read along. sounds technical, but the idea is simple: data is made unreadable, except to those who have the right key.

The good news: a lot of it is already built in by default today. Briefly per location, what that means for you:

  • On your phone: on modern iPhones and Android devices, encryption is on by default. What you do: turn on the screen lock with a PIN, face, or fingerprint. Sensitive apps (like the Files app) can be put behind biometrics for extra protection.
  • On your laptop: a short check pays off here. Mac uses FileVault, Windows uses BitLocker. Neither is always on by default: new Windows 11 installs often turn it on automatically, but for Mac and for older or second-hand Windows devices you have to activate it yourself. On a work laptop: check with IT whether it is active. On your own laptop: turn it on in the settings.
  • Browser and wifi: a site with https:// and the padlock in the address bar encrypts the traffic. The wifi at the office or at home is usually already encrypted. Working on public wifi takes a little more care; the next slide goes into that.
  • In the cloud: with major providers like Google Workspace, Microsoft 365, and reputable SaaS tools, storage is encrypted by default; you do not have to do anything yourself. For your own servers, an external backup drive, or a website built by a local web designer: explicitly ask how data is encrypted, both in transit (HTTPS) and at rest (database, backups).
key_off Encryption protects the device, not the account

Encryption helps if someone loses your laptop or phone, or if someone tries to read along on a wifi network. But if someone cracks your account, they just sign in and the data is automatically decrypted for them, because your account is the key. So a strong account with 2FA or a passkey (module 2) remains your first line.

shield Encryption is your safety net menu_bookEncryption and GDPR

Encryption does not prevent a device from being lost, but it makes that loss much less serious. An encrypted laptop on the train is an inconvenience. An unencrypted laptop is a data breach.

wifi Public wifi

Working on public wifi

On an open wifi network in a coffee shop, hotel, or airport, you are on the same network as complete strangers. That does not have to be a disaster, but it takes a little more care than at home or the office.

The good news: almost every website and app uses HTTPS today. The traffic is therefore encrypted, even on an open network. The biggest risks lie elsewhere:

  • Fake networks (“evil twin”): a network that pretends to be “Hotel-Free-Wifi” but is set up by an attacker.
  • Sloppy apps that still send something unencrypted somewhere.
  • File sharing left on: by accident, a fellow guest can reach your files.

This is how you limit the risk:

  • Only connect to networks you trust and that the venue itself confirms.
  • For really sensitive work (banking, sensitive customer files): use your mobile data (hotspot) rather than unfamiliar wifi.
  • Do you often work on the move? A VPN (Virtual Private Network) A service that creates an encrypted tunnel between your device and the internet, or between you and your company network. On a public wifi network, no one can read your traffic inside that tunnel. Company VPNs are often set up by IT; for personal use there are subscriptions like Mullvad, ProtonVPN, or NordVPN. builds an extra encrypted tunnel on top of the network. Your company may already have one for work systems; for personal use, subscriptions exist.
  • Turn off file sharing on public networks (on Windows: choose “Public network”; on Mac this is well handled by default).
vpn_lock VPN: a recommendation for home work and travel

Does your organisation have employees who regularly work on the move or from home? Then a company VPN, or a stipend for a personal subscription, is a simple investment with a high return. Especially for people working with customer or staff data.

psychology What do you do?

A colleague asks for your login

badge
A colleague says they urgently need to look something up in a system they do not have access to. They ask if you would quickly hand over your login; they promise to log out again right away.

What do you do?

psychology What do you do?

Lost laptop

laptop
You leave your work laptop on the train. It is shut down, you know the drive is encrypted, and the screen is locked with your PIN. What do you do first?

What do you do?

quiz Practice · question 1 of 2
info Just practice, this does not count toward your certificate
What is the core of the need-to-know principle?
Correct: need-to-know means you only get access to personal data that you need for your work. That keeps the risk limited if an account is compromised, and makes misuse harder.
quiz Practice · question 2 of 2
Why are software updates important for security?
Correct: updates very often contain fixes for known security holes. As soon as a hole is known, attackers actively search for systems that have not yet been updated. Installing quickly is therefore a simple but powerful protection.
summarize Summary

What you take away from module 3

  • bolt Need-to-know: only those who need personal data for their work get access to it. Access follows the role and stops on departure.
  • bolt A login is personal. Never share it, not even 'quickly', because everything under it is in your name.
  • bolt Lock your screen when you leave your workstation.
  • bolt Updates close known security holes. Turn on automatic updates on your device, browser, and apps.
  • bolt Encryption is your safety net: an encrypted laptop on the train is an inconvenience, an unencrypted one is a data breach.
workspace_premium Module complete

Module 3 complete 🎉

Access and systems are in order. In module 4 we look at the daily handling of data itself: how you share safely, protect paper documents, and do not keep data longer than necessary.

lock_open 3 of 6 modules

On your way to your “Security awareness” certificate

Complete all 6 modules and pass the final exam (at least 70%) to receive a personal certificate of attendance in your name.

check_circle Modules 1-3 completeradio_button_unchecked Modules 4-5radio_button_unchecked Final exam ≥ 70%
workspace_premium