Every week, somewhere across Ireland, a new employee logs in on their first day and one of two things happens. Either they can’t access anything they need — and their first morning is spent waiting on helpdesk tickets — or they can access far more than they should, including files that have nothing to do with their role.
Both scenarios are a problem. But the second one? That’s not just an IT headache. In 2026, it could land your organisation in serious regulatory trouble.
At Newtec Services, folder access requests are one of the most consistent themes running through our helpdesk logs, year after year. A new HR assistant joins and needs access to the HR folder, the shared company drive, and maybe a generic inbox like hr@company.ie. Simple enough on the surface. But the process of granting, managing, and reviewing that access is where things can quietly go wrong — and quietly is often how compliance failures begin.
This is not just an IT problem. It is a legal, regulatory, and quality assurance problem. And for law firms it can be a formal audit requirement.
At a Glance: What This Blog Covers
- Why folder and email access control is a GDPR legal obligation in Ireland
- How ISO 27001:2022 mandates access management (Annex A 5.15 & 5.18)
- What the Q9000 Legal Quality Standard requires from law firms on IT security
- Real-world examples of what goes wrong — and what good practice looks like
- Verified official sources throughout — DPC, Law Society, LQSI, ISO, Irish legislation
1. It’s Not Just About Convenience — It’s the Law
Here’s the part that often surprises people: folder permissions are not just a practical IT matter. They sit squarely at the intersection of Irish data protection law, EU regulation, and international quality assurance standards.
Under the General Data Protection Regulation (GDPR) — which applies fully in Ireland and is enforced by the Data Protection Commission (DPC) — organisations are required to ensure that access to personal data is appropriate, limited, and controlled. Article 5(1)(c) of the GDPR sets out the principle of data minimisation: personal data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
In plain terms: if someone doesn’t need access to a folder containing personal data to do their job, they shouldn’t have it. That’s not a suggestion. It’s the law.
The DPC has published detailed guidance for organisations on data security obligations. That guidance explicitly states that organisations should “know what data they hold, where it is held and how it flows through the organisation” — and that without this oversight, effective protection of personal data is a difficult task. The guidance also makes clear that shared credentials, where multiple users share the same login, should never be permitted. (Source: dataprotection.ie — Data Security Guidance)
DPC Enforcement: The Numbers
In 2024, the Data Protection Commission received 11,091 complaints from individuals and organisations across Ireland. Administrative fines issued by the DPC and arising from completed multi-year inquiries in 2024 totalled over €652 million. Unauthorised or poorly managed access to personal data is precisely the kind of issue that generates those complaints — and in professional environments, the consequences extend beyond fines to reputational damage and loss of client trust.
2. HR Folders: A Real-World Case in Point
Let’s take a scenario that our helpdesk encounters regularly. A new starter joins your HR department. On day one, they need access to several systems and folders:
- The company HR folder (employment contracts, payroll records, disciplinary files, medical certs)
- A work email account
- Shared corporate drives relevant to their role
- Potentially a generic shared inbox such as hr@company.ie or accounts@company.ie
The HR folder, in particular, deserves close attention. It almost certainly contains special category personal data — health information, financial details, employment history — categories that receive heightened protection under GDPR Articles 9 and 10. Under Irish law, the Data Protection Act 2018 implements and supplements the GDPR framework, giving the DPC enforcement powers over exactly this kind of processing.
The question is never just “what does this person need?”. It’s: “what is the minimum access that allows them to do their job?” That distinction matters enormously.
Granting that new HR starter access to the payroll folder? Potentially appropriate if the role requires it. Granting them access to the Managing Director’s contract, or to disciplinary files predating their employment, or to the Finance folder? That’s legally problematic — even if the access was granted by accident, out of convenience, or simply because no one thought to restrict it.
The Generic Inbox Problem
Shared inboxes like accounts@company.ie carry their own specific compliance risk. When multiple people read the same mailbox, it becomes extremely difficult to trace who accessed what, or to demonstrate appropriate confidentiality controls. This matters both under GDPR’s accountability principle (Article 5(2)) and under the Law Society of Ireland’s guidance for solicitors handling client correspondence electronically.
The DPC is explicit: shared credentials must not be used. This applies to email accounts and system access alike.
3. The ISO 27001 Dimension
Data protection law is not the only framework demanding proper access controls. If your organisation holds or is working towards ISO 27001 certification — the internationally recognised standard for information security management systems, published by the International Organization for Standardization — access control is explicitly mandated at multiple levels.
It is worth noting that Newtec Services is itself ISO 27001 certified, which underpins the access management and security controls we implement for clients.
ISO 27001:2022 includes two specific Annex A controls that are directly relevant to folder and file access management:
| ISO 27001:2022 Control | Requirement |
| Annex A 5.15 Access Control | Organisations must define and enforce rules for who can access information and assets, based on the “need-to-know” and “least privilege” principles. Access should be denied by default unless there is a documented business reason to grant it. |
| Annex A 5.18 Access Rights | Access rights must be provisioned, reviewed, modified, and removed throughout the full user lifecycle — from onboarding through role changes to departure. Failure to do so leads to “privilege creep”: accumulated permissions that no longer match what someone actually does. |
ISO 27001 auditors routinely ask for evidence of access reviews, documented approval processes for access requests, and logs of access revocations. If your organisation cannot produce those records, it represents a gap — regardless of how capable your IT team is day-to-day.
Source: ISO/IEC 27001:2022 — Information Security Management Systems
4. The Q9000 Standard: What It Means for Irish Law Firms and Their IT
What Is the Q9000?
The Q9000 is the highest-tier accreditation awarded by the Legal Quality Standard of Ireland (LQSI), recognised by the Law Society of Ireland. It is described by LQSI as the most advanced strategic, risk and quality management standard available to Irish solicitor firms, awarded only to those that have already excelled under the Q6000 standard.
Firms with Q9000 accreditation have been independently audited and rank among the highest quality law firms in Ireland. Source: lqsi.ie/the-q9000/
For law firms, folder access is not just an operational concern — it is a formal, independently audited requirement. The Q9000 Quality Standard includes a dedicated IT Security & GDPR module (carried through from the Q3000 and Q6000 tiers), and adds an Advanced IT, Information and Knowledge Management module at the Q9000 level.
At the advanced IT level, the Q9000 specifically requires firms to have documented policies and evidence of implementation across the following areas:
- Technology Strategy
- Standardisation Strategy
- Precedent Bank Management
- Knowledge Management
- Information Security and Remote Access Policies
This means that for a firm pursuing or maintaining Q9000 accreditation, having clear, documented, and regularly reviewed folder access policies is not optional. It will be examined by an independent auditor.
What a Q9000 Auditor Will Typically Expect to See
Based on the published scope of the Q9000’s IT Security & GDPR and Advanced IT modules, an auditor reviewing a firm’s access control procedures would expect documented evidence of:
- A current, signed Information Security Policy specifying who has access to which systems, folders, shared drives, and inboxes
- A Remote Access Policy governing how staff connect to firm systems outside the office, including from home or on mobile devices
- A documented access provisioning and deprovisioning process — covering what happens when staff join, change role, or leave
- Regular access reviews with written records showing permissions have been checked and removed where no longer appropriate
- A Technology Strategy demonstrating how IT systems, including access management, are planned, reviewed, and kept current
The Law Society of Ireland’s GDPR guidance for solicitors makes clear that statutory data protection duties apply to solicitors as data controllers in exactly the same manner as they apply to any other organisation processing personal data. This is a legal obligation that runs in parallel to and reinforces the Q9000 requirement. Source: lawsociety.ie — GDPR & Data Protection for Solicitors
5. The Real Cost of Getting It Wrong: Privilege Creep and Beyond
“Privilege creep” is one of the quieter risks in Irish organisations. An employee moves from accounts to HR, and their old accounts folder access is never removed. A member of staff leaves, and their account — with all its folder permissions — is not deprovisioned for two weeks. A shared login is used by three people in a department, meaning there is no audit trail of who accessed what.
None of these feel like dramatic failures in the moment. But collectively, they represent genuine regulatory exposure and real security risk. Consider the three most common consequences:
| Consequence | What It Means in Practice |
| GDPR Breach | If a staff member accesses personal data they are not authorised to see — even accidentally — this may constitute a data breach requiring notification to the DPC under Article 33 of the GDPR within 72 hours. |
| ISO 27001 Audit Failure | Lack of documented access reviews, or evidence of privilege creep, will be flagged as a non-conformity during an ISO 27001 audit. This can jeopardise certification. |
| Q9000 Audit Failure | For law firms, absence of documented Information Security and Remote Access Policies, or evidence that access is not reviewed regularly, will constitute a finding during a Q9000 audit. |
For law firms specifically, the stakes are higher still. Client files may contain some of the most sensitive personal data in existence: medical records, financial disputes, family law matters, criminal proceedings. A failure of access control is not just a regulatory matter — it is a profound breach of professional duty and client trust.
Real Testimonial from a Newtec Services Client
“Newtec have been central to keeping us informed on the ever changing IT landscape and we have implemented their Managed Security solutions to ensure that our data continues to remain secure and we meet all Data Protection Compliance & GDPR regulations.”
— Gerry Flynn, Michael Houlihan & Partners Solicitors
6. What Good Access Control Actually Looks Like in Practice
Getting folder permissions right is not complicated — but it requires a deliberate, documented process. Here is what that looks like across five practical areas:
1. Formal Onboarding Checklist
Define what access each role requires before the employee starts, not after. A manager or department head should sign off on the access list before IT implements it. This creates an auditable record and prevents the common habit of copying the permissions from whoever previously held the role.
2. Role-Based Access Control (RBAC)
Access should be tied to job function, not individual request. When a role is defined, its access requirements are defined with it. This makes access consistent, auditable, and far easier to review. It also means that when someone changes role, the access associated with the old role is removed automatically as part of the transition.
3. Formal Offboarding Process
Access must be removed on the day of departure or role change — not when someone eventually gets around to raising a helpdesk ticket. For law firms under Q9000, this is an audited requirement. For all organisations under GDPR, it is a matter of data security due diligence.
4. Regular Access Reviews
At minimum annually for standard users — more frequently for those with elevated access. ISO 27001 Annex A 5.18 requires this. Q9000 auditors expect written records of it. The DPC’s data security guidance emphasises it. A review does not need to be complex: a quarterly check of who has access to what key folders is sufficient for most organisations.
5. Generic Inbox Governance
Shared inboxes should have a named owner, a defined list of users, and a clear policy on access logging and review. Where confidential client or personal data passes through a shared inbox, access should be restricted to those with a genuine need, and that list should be reviewed regularly.
These are not theoretical best practices. They are what the DPC expects under GDPR, what ISO 27001 auditors examine, and — for law firms — what a Q9000 audit will directly assess.
7. How Newtec Services Can Help
Newtec Services provides managed IT support and cybersecurity solutions to businesses and professional firms across Ireland from our offices in Dublin, Shannon, and Limerick. We are ISO 27001 certified — the same standard we help our clients work towards and maintain.
Our Identity & Access Management service addresses exactly the challenges discussed in this post, including:
- Designing and implementing role-based access control structures for your organisation
- Auditing existing folder and file permissions and identifying where access is excessive or undocumented
- Building onboarding and offboarding workflows that ensure access is granted correctly from day one and removed promptly on departure
- Implementing and documenting access review processes that satisfy GDPR accountability requirements, ISO 27001 audit expectations, and Q9000 IT Security module requirements
- Advising on shared inbox governance and generic email account policies
- Providing staff awareness training on data access, GDPR obligations, and information security
Our Identity & Access Management service: newtecservices.ie — Identity & Access Management
8. Verified Sources and Further Reading
Every claim in this post has been verified against the primary source. The following official resources are directly applicable to Irish organisations:
Is Your Organisation’s Access Control Up to Standard?
Q9000 audit preparation • ISO 27001 readiness • GDPR-compliant access controls
| 📍 | Newtec Services Managed IT • Cybersecurity • Cloud Solutions • ISO 27001 Certified |
| ☎ | Dublin: 01 531 3777 | Shannon: 061 708 820 | Limerick: 061 708 821 |
| 🌐 | www.newtecservices.ie — Contact us today for a free initial consultation |
Disclaimer: This blog post reflects the regulatory framework applicable in Ireland as of May 2026, including the GDPR as enforced by the Data Protection Commission under the Data Protection Act 2018, ISO/IEC 27001:2022, and the Q9000 standard as described by the Legal Quality Standard of Ireland (LQSI). All Q9000 information has been sourced directly from lqsi.ie and cross-referenced with publicly available announcements from Q9000-accredited firms. DPC complaint and fine figures are sourced from the DPC Annual Report 2024. This post is intended as general information only and does not constitute legal advice. For legal advice specific to your organisation, please consult a qualified solicitor.
