One aspect of the GDPR is the fact that all users who have access to personal data must be monitored. As a best practice, only groups should be placed on the access control lists (ACLs) of personal data, not individual users. Therefore, it is the groups that also need to be monitored for modifications. In order to reduce the amount of monitoring that is required for the GDPR, it is highly suggested to create groups that are dedicated to accessing personal data. This will allow for only these groups to be monitored at the level required by the GDPR.

If you decide not to create special groups for accessing personal data, consider the following scenario. If you take an existing group and place it on the ACL for personal data, it is safe to assume that the group is being used in another capacity already. So, if the requirements for the other use change and more users need to be added to the group, you immediately have a GDPR violation on your hands.

However, if you create groups that are dedicated to accessing personal data and you name them accordingly (with some reference to GDPR, for example), you will be able to track these groups separately from the groups that access non-personal data. With this separation of groups that access personal data from the other groups, you will be able to easily configure which groups are being monitored. Also, you will more easily be able to monitor the ACLs related to personal data.

If you are considering keeping your existing groups and working with them for accessing personal data, I highly suggest you test this first before you make a final decision. What you will most likely find is that group membership changes far too much to be able to use existing groups. 

As organizations continue to prepare for the GDPR, we are all finding out that meeting this compliance regulation will take much more work than originally thought. Preparing now is the best thing you can do.