Get Free Downloads
Start your GDPR today in just a few clicks
Get Free Downloads
Start your GDPR today in just a few clicks

New GDPR Guidance For Passwords

Tagged with gdpr, ico, data, free, freeadvice, gdprtemplate, easygdpr, gdprfree,
by Adam Brogden
in Blog

02-Nov-2018 13:35

New GDPR guidance on passwords has been published by the ICO. Here is a summary.

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing. You should consider whether there are any better alternatives to using passwords.

Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks. There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.

What is required under the GDPR?

The GDPR does not say anything specific about passwords. However, Article 5(1)(f) states that personal data shall be:
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

This is the GDPR’s ‘integrity and confidentiality’ principle, or, more simply, the ‘security’ principle. So, although there are no provisions on passwords, the security principle requires you to take appropriate technical and organisational measures to prevent unauthorised processing of personal data you hold. This means that when you are considering a password setup to protect access to a system that processes personal data, that setup must be ‘appropriate’.

What are the other considerations?

Although the GDPR does not define what is ‘appropriate’, it does provide further considerations in Article 32, ‘security of processing’:
‘Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.’

This means that when considering any measures, you can consider the state of technological development and the cost of implementation – but the measures themselves must ensure a level of security appropriate to the nature of the data being protected and the harm that could be caused by unauthorised access. You cannot simply set up a password system and then forget about it – there must be a periodic review process.

You must also ensure that you are aware of the state of technological development in this area and must ensure that your processes and technologies are robust against evolving threats. For example, advances in processing power can reduce the effectiveness of cryptography, particular design choices can become outdated, and so on. You must also consider whether there might be better alternatives to passwords that can be used to secure a system.

Article 25 of the GDPR also requires you to adopt a data protection by design approach. This means that whenever you develop systems and services that are involved in your processing, you should ensure that you take account of data protection considerations at the initial design stage and throughout the lifecycle. This applies to any password system you intend to use.

At the same time, provided you properly implement a password system, it can be an element that can be used to demonstrate compliance with your obligations under data protection by design.

Feel free to call us anytime to discuss.

Good Luck All.