Password Requirements Under GDPR

General Data Protection Regulation (GDPR) becomes enforceable on May 25. This new legislation, while all encompassing, does not forbid the use of a simple username and static password system for obtaining personal data, but it does require that access processes need be safeguarded and rigid.

If procedures are not safeguarded, businesses and companies may be violating GDPR, leading to major consequences. These consequences for businesses and organisations need to be reviewed.

Password Re-Set Requests

Oftentimes, customers forget their password. This can happen due to many different reasons including:

  • The obligation to have different passwords for separate access needs
  • Customer passwords must include numbers and symbols as well as letters.
  • Customer passwords must be long and complex.

For these reasons people often need re-set their password(s). GDPR states that a business must be able to show that requests for password re-sets are managed securely. The best way for business to process this is to provide a secure self-service option. If a help desk is involved in data management, the password request should require a two tier level of security, to help avoid fraud by help desk workers.

Is Password Use Recommended?

There are many other ways, besides password, to identify a person. These can incorporate methods such as:

  • Technological voice recognition.
  • Use of smartcards.
  • Activation codes on smartphones
  • Recognition using fingerprints

When GDPR becomes enforceable later this year it would wise for businesses so use two of any non-password related methods of identification, or a password plus one other form of identification, to allow access to personal data. Taking such a step will allow them to adhere to the strict GDPR requirements.

Author: GDPR News