
Privileged Access Management
PAM: security discipline controlling access to privileged accounts; absence cited by ICO as GDPR breach in Capita and Advanced Computer Software fines.
Last refreshed: 17 April 2026 · Appears in 1 active topic
Why is not having PAM now a legal liability under UK data-protection law?
Timeline for Privileged Access Management
Mentioned in: ICO fines South Staffs Water £963,900
Cybersecurity: Threats and DefencesIdentified as the deployment context triggering LSASS reboot loops patched by KB5091157
Cybersecurity: Threats and Defences: KB5091157, Gentlemen C2 intel, ENISA CNAs: in briefMentioned in: UK 24-hour reporting bill at Report
Cybersecurity: Threats and DefencesWhat is Privileged Access Management and do I need it?
Is PAM required under GDPR?
Background
Privileged Access Management (PAM) is the security discipline governing access to administrative and privileged accounts in enterprise IT environments. The ICO cited absent PAM controls as a directly causative failure in both the Capita £14m fine (October 2025) and the Advanced Computer Software £3.07m fine (March 2025), establishing PAM as an enforceable GDPR Article 32 requirement when followed by NCSC guidance.
PAM encompasses a set of controls: vaulting and rotating privileged credentials, recording and auditing privileged sessions, enforcing just-in-time access grants for administrative operations, and monitoring for anomalous privileged activity. The tools include products such as CyberArk, BeyondTrust and HashiCorp Vault; the architectural approach includes tiered administration models in which privileged accounts are isolated from internet-connected and day-to-day user environments.
The Stryker MDM wipe is the 2026 operational illustration of what absent MDM-level PAM looks like at scale: a single Intune admin credential with no session binding, step-up authentication or just-in-time grant gave an attacker mass-wipe authority across 200,000 devices. For CISOs, PAM is no longer a security recommendation; under the ICO's NCSC-as-baseline enforcement model, it is a compliance obligation for any UK-regulated organisation that processes personal data.