GDPR Password Policy
The General Data Protection Regulation, which came into force in May 2018, has been cited by experts as the biggest change to EU personal data laws since 1995. GDPR is made up of 99 Articles and 173 recitals, and was designed to update protection laws across the EU (and EEA) and introduce a European standard. As any organisation that handles data collected within EU countries-whether they are located within our outside the EU-are expected to be compliant with the regulations, GDPR’s impact has been felt worldwide.
GDPR covers all areas of business practices, ranging from how data is collected, how data is transferred between organisations or internationally, to what types of information may be stored and for how long. In particular, GDPR places a large emphasis on data security. Previous EU laws on data security were deemed insufficient and not on parr with modern technology. As phishing and cyberattacks have become substantial threats to the security of personal data-and are likely to become more dangerous-those who designed GDPR tried to ensure that the new regulations would not only deal with current threats but would be robust to changes in technology.
The fifth Article of GDPR stipulates that personal data shall be “processed in a manner that ensures appropriate security of personal data”. Those who created GDPR avoid naming any specific security measures or technologies, as these may become obsolete in the near future as technology progresses. This also gives organisations freedom to audit their data and investigate safeguards which most suit their organisation and financial means. However, knowing practices are compatible GDPR can be difficult for an organisation to figure out. GDPR’s language is often quite vague; it refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, but what does this actually mean?
GDPR Compliant Passwords
One area which is probably most relevant to the day-to-day running of an organisation is the use of passwords. GDPR does not mention the word “password” explicitly in its text. It is possible that passwords may become outmoded one day, but for now, they are a vital safeguard for the protection of data. As a fundamental defence against unauthorised individuals accessing personal data, it is key that organisations ensure that their password policies are fully up to standard.
Although passwords are not mentioned directly, GDPR does give some guidance on what it deems to be adequate security measures. One of its articles states “measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected”.
With the correct framework in place, passwords can be used as a confidential, secure, and cost-effective safeguard. The easiest way to ensure that this framework is maintained across every level of an organisation is to introduce a “password policy” and train all employees in what GDPR expects in terms of password security.
What to include in a Password Policy
The first step in ensuring that an organisation has a good password policy is instructing employees in how to create strong passwords. So-called “weak” passwords, which may be names, birthdays, or simple strings of numbers such as “1234” are susceptible to brute-force attacks. If a hacker takes control of one account, the whole organisation’s network is put into danger. Therefore, it is crucial that everybody in the organisation take the proper precautions in ensuring that their password is up to standard.
Some features of strong passwords include:
- include a mix of upper- and lower-case letters (an unpredictable mix is even better, such as writing eurOpE instead of Europe)
- include a number
- include a special character, such as $, %, @ or !
- do not include names or place names
- no obvious substitutions (such as 0 for o)
- misspelled words, so that they’re not in the dictionary
- unique and not used for multiple accounts
It is a good idea to require employees to reset their passwords periodically. It is possible that an organisation may wish for passwords to be stored somewhere securely. If this is necessary, precautions must be taken to ensure that they are not accessed by unauthorised individuals. Encryption or some other high-level safeguard should be used to secure the passwords.
In addition to ensuring that passwords are created a secure manner, organisations must have adequate procedures in place such that if a password needs to be reset, this does not pose a significant security risk. Systems must be in place to help both customers and employees reset passwords. GDPR requires organisations to demonstrate that their password reset processes are secure. For example, they must show that any employee that may be assisting in the password reset cannot directly access the passwords themselves, as this would breach the customer’s privacy.
A common way of resetting passwords is through a secure “self-service” reset system. A customer reports on the website that they need to reset their password, and the system checks their identity through a two- or multi-factor identification system. This may include sending an email to their account, or a text to their phone, which contains a unique code which then must be submitted online to proceed. If used within a certain period of time, this then allows for a window of time in which the password may be reset. This two-factor authentication is secure enough to be deemed-GDPR compliant.
Some organisations may offer individuals multiple ways for individuals to identify themselves, aside from the usual username/password combination. Voice recognition, smart cards, or even fingerprint recognition are all potential safeguards. Using multiple authentication methods may help an organisation in satisfying GDPR’s tough requirements, but caution must be taken to ensure that sensitive information, such as the fingerprint data, is adequately protected to help prevent fraud.
Secure storage of passwords is essential to ensure compliance with GDPR. The regulations state “In order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.” Organisations are strongly recommended to use encryption when storing the passwords of their employees and customers. The fines for violations through inadequate measures are hefty-either 4% of the company’s annual turnover or €20 million-whichever is higher.