GDPR4All
Sign inFree Assessment

Team Management

Invite team members, assign roles, and manage user access within your organisation

5 min readUpdated 26 February 2026
Client Admin

GDPR compliance is a team effort. From the IT department identifying data flows to the legal team reviewing policies, from marketing managing consent to HR handling employee data — everyone has a part to play. GDPR4All's team management features allow Client Admins to invite colleagues, assign appropriate roles, and ensure that each team member has exactly the level of access they need to fulfil their responsibilities.

Inviting Team Members

As a Client Admin, you can invite new team members to your organisation directly from the platform. The process is straightforward:

  1. Navigate to Settings > Team or the team management section.
  2. Click Invite Member.
  3. Enter the person's email address and select the role you want to assign.
  4. Send the invitation.

The invited person receives an email with a link to set their password and access the platform. If your organisation uses Google or Azure AD single sign-on, they can sign in using their existing corporate credentials.

What Happens on First Login

When the invited team member signs in for the first time:

  • They are automatically associated with your organisation (tenant).
  • They see a dashboard tailored to their assigned role.
  • They have immediate access to the features and modules permitted by their role.

Understanding the Four Client-Tier Roles

GDPR4All uses a role-based access control model that follows the principle of least privilege. There are four roles available for client-tier users, each designed for a specific set of responsibilities.

Client Admin

The Client Admin is the organisation owner and has the highest level of access within the tenant. This role is typically assigned to the person ultimately responsible for GDPR compliance — often a managing director, head of compliance, or IT director.

Client Admins can:

  • Access all compliance modules — ROPA, Breaches, Consent, DPIAs, DSRs, Documents, and Vendor Management — with full create, read, update, and delete permissions.
  • Manage team members — invite new users, change roles, and remove users from the organisation.
  • Assign a DPO — designate a Data Protection Officer from the Settings page.
  • Approve documents and DPIAs — serve as a reviewer in the approval workflow, signing off on privacy policies, DPIA reports, and other critical documents.
  • Access billing and settings — view and manage subscription details, organisation profile, and configuration.
  • View all training assignments — see the progress of every team member across all assigned courses.

Compliance Officer

The Compliance Officer role is designed for staff members who work directly on GDPR compliance activities but do not need access to administrative functions. This is the ideal role for a dedicated compliance manager, a data protection coordinator, or a member of the legal team.

Compliance Officers can:

  • Access all compliance modules with full create, read, update, and delete permissions — identical to the Client Admin for compliance purposes.
  • Submit documents and DPIAs for review — they can create and edit compliance records and submit them through the approval workflow.
  • View all training assignments — monitor team progress across courses.

Compliance Officers cannot:

  • Manage team members or invitations.
  • Access billing or subscription settings.
  • Approve documents or DPIAs — this maintains the separation of duties between those who create records and those who approve them.

Client User

The Client User role is for general staff members who need basic awareness of compliance activities but should not create or modify records. This is the most common role, assigned to employees across departments who handle personal data in their daily work.

Client Users can:

  • View compliance records in read-only mode — they can see processing activities, breach incidents, consent records, and other compliance data, but they cannot edit anything.
  • Complete assigned training — this is the primary function for Client Users. They can access their assigned courses, work through lesson content, take quizzes, and sit course exams.
  • View their own training assignments — they see only the courses assigned to them, not the assignments of other team members.

Client Users cannot:

  • Create, edit, or delete any compliance records.
  • Access settings, billing, or team management.
  • View other users' training assignments.

Data Protection Officer (DPO)

The DPO role is unique because it operates across organisational boundaries. A DPO may be an internal employee serving a single organisation or an external consultant appointed to oversee multiple organisations. Article 37 of the GDPR requires certain organisations to designate a DPO, and this role reflects the independence and cross-cutting authority that the position demands.

DPOs can:

  • View and manage compliance records across all organisations they are assigned to, with permissions similar to a Client Admin for compliance modules.
  • Approve DPIAs and documents — the DPO's independent oversight role makes them a natural reviewer in the approval workflow.
  • Switch between organisations — using the tenant switcher in the sidebar, DPOs can move between the organisations they are responsible for without logging out and back in.
  • Update DSR internal notes and assignments — DPOs can add internal notes to data subject requests and reassign them, but they cannot modify other DSR fields, preserving the integrity of the request record.
  • Access training and documents across their assigned organisations.

DPOs cannot:

  • Manage team members, billing, or organisation settings for the organisations they oversee (unless they also hold a Client Admin role in that specific organisation).

Role Assignment and Modification

Assigning Roles

When you invite a new team member, you select their role at the time of invitation. Choose the role that best matches their responsibilities:

  • If they will work directly on compliance activities, assign Compliance Officer.
  • If they need general awareness and training access, assign Client User.
  • If they are your designated Data Protection Officer, assign DPO (and complete the DPO assignment in Settings).

Changing Roles

If a team member's responsibilities change, you can modify their role from the team management section. Common scenarios include:

  • Promoting a Client User to Compliance Officer when they take on compliance responsibilities.
  • Assigning the DPO role to an existing team member who has been appointed as Data Protection Officer.
  • Downgrading a departing Compliance Officer to Client User during a transition period.

Role changes take effect immediately. The user's dashboard and available features will update the next time they navigate or refresh the page.

Removing Team Members

When a team member leaves the organisation, remove their access promptly. This is itself a GDPR best practice — access to personal data should be revoked as soon as it is no longer needed.

Tips for Effective Team Management

  • Apply least privilege — assign the minimum role necessary for each person to do their job. Not everyone needs Client Admin access. Most team members will be well served by the Client User role with targeted training assignments.
  • Assign the Compliance Officer role to key staff — identify the two or three people who are most involved in your GDPR programme and give them Compliance Officer access. This ensures continuity if one person is unavailable.
  • Review access regularly — at least quarterly, review who has access to your GDPR4All account and what roles they hold. Remove access for anyone who has left the organisation or changed departments.
  • Document your role decisions — keep a record of why each person has the role they do. This supports your accountability obligations under the GDPR and makes it easier for auditors to understand your access control model.
  • Separate creators from approvers — take advantage of the role structure to enforce separation of duties. Have Compliance Officers create documents and DPIAs, and have the Client Admin or DPO review and approve them.
  • Use training assignments strategically — assign role-appropriate training to every team member. Client Users should complete at least the GDPR Fundamentals course. Compliance Officers should complete all five pre-loaded courses.
  • Designate a DPO early — if your organisation is required to have a DPO (or you choose to appoint one voluntarily), designate them in GDPR4All as soon as possible. Their cross-organisational oversight is a significant compliance asset.

Effective team management is the foundation of a successful GDPR programme. By ensuring the right people have the right access, you create an environment where compliance is everyone's responsibility and no one has more access than they need.

Related Articles

Getting Started with GDPR4All

Your first steps on the platform — logging in, navigating the dashboard, and understanding your role

5 min read· Updated 26 Feb 2026

Settings

Configure your profile, organisation details, DPO assignment, and cookie preferences

4 min read· Updated 26 Feb 2026·Client Admin

Getting Started as a Reseller

Reseller onboarding — registration, approval, first steps, and understanding your billing plan

6 min read· Updated 26 Feb 2026·Reseller AdminReseller Member

Was this article helpful?

Previous

Reports & Alerts

Next

Settings