GDPR Password Policy

GDPR avoids stating any particular technologies that organisations should use when securing consumer data, but instead refers to “appropriate security” or “appropriate safeguards”. This vagueness is deliberate; it ensures that the legislation is robust enough to survive any future technological advancements. However, it is difficult for organisations to interpret this text and figure out how to implement it in the day-to-day running of their organisation, even with relatively simple technologies.

Some of the most important and regularly encountered security measures are passwords. If used correctly, passwords can be secure and cost-effective safeguards. The most straightforward way to ensure employees use passwords correctly is to introduce a “password policy”. All employees should be trained in GDPR-compliant password security.

Organisations should instruct employees on how to create strong passwords. As the name implies, strong passwords are more robust to some of the methods that hackers use to break into accounts. As passwords often serve as the first line of defence against data breaches, organisations should require employees to use strong passwords on all of their accounts.

Employees should be taught to recognise what constitutes “weak” passwords in addition to knowing how to make a strong one. Weak passwords include names, birthdays, or simple strings of numbers such as “1234”. These are all susceptible to a hacker’s brute-force attacks. It is important to remember that if a hacker takes control of one account, the whole organisation’s network is endangered.

Some features of strong passwords include:

  • long
  • include a mix of upper- and lower-case letters (an unpredictable mix is even better, such 
as writing daTaprOtEctioN instead of data protection)
  • include a number
  • include a special character, such as $, %, @ or !
  • do not include names or place names
  • no obvious substitutions (such as 0 for o)
  • misspelt words, so that they’re not in the dictionary
  • unique and not used for multiple accounts

Organisations may to securely store all employee passwords in a particular location for security reasons. If this is necessary, the organisation should take precautions to ensure that unauthorised individuals do not access the passwords. Encryption or some other high- level safeguard should be used to secure the passwords.

Organisations should implement procedures to ensure that both employee and consumer passwords can be securely reset. GDPR requires organisations to demonstrate that their password reset processes are secure. For example, organisations must show that any employee that may be assisting in the password reset cannot directly access the passwords themselves, as this would breach the customer’s privacy.

Many organisations use a secure “self-service” password reset system. These multi-factor authentications are secure enough to be deemed-GDPR compliant. Through this system, a customer reports on the website that they need to reset their password, and the system checks their identity through a two- or multi-factor identification system. These identification steps may include sending an email to their account, or a text to their phone, which contains a unique code which then must be submitted online to proceed. If used within a specified period, this then allows for a window of time in which the user can reset their password.

With advances in technology, multi-factor authentication systems can offer individuals new ways to authenticate their identity. These may include voice recognition, smart cards, or even fingerprint recognition are all potential safeguards. Using multiple authentication methods may help an organisation in satisfying GDPR’s strict requirements, but caution must be taken to ensure that sensitive information, such as the fingerprint data, is adequately protected to help prevent fraud.

Secure storage of passwords is essential to ensure compliance with GDPR. The regulations state “In order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.”