What are the GDPR Password Requirements?

The new General Data Protection Regulation (GDPR) which comes into force in May 2018 does not outlaw the use of a simple username and static password system for accessing personal data, but GDPR does state that data access procedures need to be secure.

More specifically, the law states that “a high level of protection of personal data” must be ensured and that safeguards must be in place “to prevent abuse or unlawful access or transfer”. If procedures are not secure, businesses and organisations can be found to be in breach of GDPR rules. This can have serious consequences.

How can businesses and organizations be confident in their security procedures? A current common method of data protection is the use of password policies. As mentioned above, passwords are not prohibited as a security measure under the GDPR, but they are not given as an example of an adequate safeguards either. In fact, the term “password” does not appear anywhere in the GDPR.

Requests to Re-Set Passwords

If passwords are used, then there must be a way to store and reset them. Customers often legitimately forget their password. This can be for a lot of different reasons, including:

  • The requirement to have different passwords for different access needs.
  • Passwords having to consist of numbers, letters, and symbols.
  • Passwords having to be lengthy and complex.

These are some causes for which people will often ask to re-set their password. Under GDPR, a business will need to be able to show that requests for password re-sets are dealt with securely.

The best way to do this is for businesses to provide a secure self-service option. Two or multi-factor authentication can  increase the security of this option as it requires several pieces of information or possession of certain elements that should be unique to the owner of the account.

If a help desk is involved, it should require a two tier level of security to help prevent fraud or access to passwords by help desk employees.

Should Passwords be Used?

There are many other methods of identifying an individual besides passwords. These can include methods such as:

  • Voice recognition.
  • Smartcards.
  • Smartphone activation codes.
  • Fingerprint recognition.

Under GDPR, it’s a good idea for businesses so use two of any non-password related methods of identification, or a password plus one other form of identification, to enable access to personal data. Doing so will help them to satisfy stringent GDPR requirements.

While the risk of someone maliciously gaining a username and password combination may be relatively high, the risk of that same person gaining access to a username and an authorized smartphone may be lower, and the risk of an unauthorized party using biometric data such as finger or voice prints may be lower still.

If passwords are being used, they should not be accessible and should be securely stored to avoid them being visible to unauthorized individuals. Some sort of standard such as encryption or an equivalent should be used to protect the passwords.

By introducing these measures, organizations can minimize the risks of accounts being hijacked or hacked and they can have more confidence in the security of their data.