GDPR Password Policy

A search of General Data Protection Regulation (GDPR) text for the word ‘password’ will not show any results, but that does not mean a GDPR password policy is not required. Passwords are an important safeguard to prevent unauthorized individuals from gaining access to sensitive data, so while not explicitly stated in the GDPR text, if passwords are used, they need to be covered by your GDPR policies.

GDPR is primarily concerned with improving privacy protections for EU citizens, which is achieved by ensuring any business, organization, or individual that handles the data of EU citizens implements safeguards to preserve the confidentiality of that information.

Even though passwords are not specifically mentioned, Regulation (EU) 2016/679 does stipulate that “a high level of protection of personal data” is required. GDPR also requires safeguards to be implemented that prevent the abuse, unlawful access, or transfer of personal data.

The Regulation also states that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorized access to or use of personal data”. Passwords are a low-cost way of ensuring data cannot be accessed by unauthorized individuals and are an appropriate safeguard to prevent unauthorized account access.

What Should a GDPR Password Policy Include?

The purpose of a password is to prevent unauthorized individuals from accessing data or resources. Passwords can be considered an appropriate safeguard to ensure the security of accounts and the confidentiality of sensitive information, provided an appropriate GDPR password policy is in place.

It is the responsibility of EU citizens to ensure they do not disclose their password or other information that could compromise their account, but a company that requires passwords to be set also has responsibilities. Safeguards must be implemented to prevent any accidental disclosure of passwords.

A weak password can easily be guessed and will be susceptible to brute force attacks. Strong passwords are therefore required. It is a good best practice to require passwords to be of a certain length, include upper and lower-case letters, a number, and a special character. A GDPR password policy should require passwords to be reset periodically. While not stated in the GDPR text, these measures to make passwords more secure are appropriate to the level of risk.

A GDPR password policy should cover the resetting of passwords. A mechanism for resetting passwords is necessary as passwords can be forgotten and may need to be changed for other reasons. In order to be compliant with GDPR, a company must be able to demonstrate that its password resetting policies are secure, and the mechanism used does not allow an organization’s employees to view user passwords.

The easiest system to implement to ensure security is one that requires a user to perform a self-service reset if required. For that process to be secure, it would need to include multi-factor authentication controls. Multi-factor authentication is the use of more than one means of authenticating a user, such as something a user knows together with something they possess or something that is inherent to that individual. This will ensure, to a reasonable and appropriate level, that only the account owner can reset their password.

Commonly, multi-factor authentication requires a user to stipulate a phone number to receive a reset code, either by text in the case of a mobile phone or a voice call for a landline. A time limit is set after which the code becomes invalid. This system is not infallible, but the risk of an account breach can be considered to be sufficiently low. Currently, these measures are reasonable and appropriate and will help to ensure unauthorized accessing of an account. Smart cards, fingerprint scanners, and voice recognition systems could also be used for increased security.

A GDPR password policy should also cover the storage of passwords. “In order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.” All stored passwords must therefore be encrypted to current industry standards to be compliant with GDPR. Salting the passwords would add an additional level of security to the process.  A password manager like Bitwarden is essential for compliance with this requirement.