Concept

Privileged Access Management

PAM: security discipline controlling access to privileged accounts; absence cited by ICO as GDPR breach in Capita and Advanced Computer Software fines.

Last refreshed: 17 April 2026

Key Question

Why is not having PAM now a legal liability under UK data-protection law?

Timeline for Privileged Access Management

#117 Apr

Mentioned in: UK 24-hour reporting bill at Report

Cybersecurity: Threats and Defences

View full timeline →

Common Questions

What is Privileged Access Management and do I need it?: PAM (Privileged Access Management) controls access to administrative and privileged accounts through credential vaulting, session recording and just-in-time access grants. The UK ICO has fined organisations (Capita £14m, Advanced Computer Software £3.07m) for absent PAM controls under GDPR Article 32.Source: ICO / NCSC
Is PAM required under GDPR?: The UK ICO has established in its Capita and Advanced Computer Software monetary penalty notices that absent PAM controls are a GDPR Article 32 breach, treating NCSC's PAM guidance as the enforceable technical standard. For UK-regulated organisations, PAM is effectively a GDPR compliance requirement.Source: ICO

Background

Privileged Access Management (PAM) is the security discipline governing access to administrative and privileged accounts in enterprise IT environments. The ICO cited absent PAM controls as a directly causative failure in both the Capita £14m fine (October 2025) and the Advanced Computer Software £3.07m fine (March 2025), establishing PAM as an enforceable GDPR Article 32 requirement when followed by NCSC guidance.

PAM encompasses a set of controls: vaulting and rotating privileged credentials, recording and auditing privileged sessions, enforcing just-in-time access grants for administrative operations, and monitoring for anomalous privileged activity. The tools include products such as CyberArk, BeyondTrust and HashiCorp Vault; the architectural approach includes tiered administration models in which privileged accounts are isolated from internet-connected and day-to-day user environments.

The Stryker MDM wipe is the 2026 operational illustration of what absent MDM-level PAM looks like at scale: a single Intune admin credential with no session binding, step-up authentication or just-in-time grant gave an attacker mass-wipe authority across 200,000 devices. For CISOs, PAM is no longer a security recommendation; under the ICO's NCSC-as-baseline enforcement model, it is a compliance obligation for any UK-regulated organisation that processes personal data.

How the World Sees Them

ICO

PAM is now explicitly an Article 32 GDPR baseline control; the Capita and Advanced CS monetary penalty notices are the precedent documents for enforcement.

PAM vendors

ICO enforcement of PAM as a GDPR requirement is a commercial tailwind; the Capita fine is now a closing-argument data point for enterprise procurement teams.

Enterprise CISOs

The ICO enforcement history, combined with the Stryker operational case, makes PAM a board-level compliance conversation, not a security operations item.