What are the GDPR Password Requirements?

by | Mar 11, 2021

The new General Data Protection Regulation (GDPR) which comes into force in May 2018 does not outlaw the use of a simple username and static password system for accessing personal data, but GDPR does state that data access procedures need to be secure.

More specifically, the law states in Article 32(1)  “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Note here both the Controller and the Processor must implement these measures. The measures listed are generic and listed in Article 32(1), the measures are

  • the pseudonymization and encryption of personal data,
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
  •  a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
  • A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “Processor” carries out the processing of the personal data on behalf of the “Controller”. A “Processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.

What does this mean for Passwords?

A policy around passwords will be but one part of an overall organisational plan to keep data safe and secure alongside other measures. These other measures would include implementing an Anti-Virus and Firewall policy, an acceptable use policy, an access control policy, together with training on Malware, Phishing and social engineering.

Together with the above measures penetration testing of systems and suppliers, implementing backups and mandatory user training on IT systems are also key areas for IT security in any organisation.

Stolen or weak passwords can cause data breaches. Best practices around passwords would include;

  1. Forcing the use of complex passwords (Passwords having to consist of numbers, letters, and symbols) or, better again, long passphrases.
  2. Implementing training for users to raise awareness, highlight risks and dangers and encourage use of long passphrases.
  3. Applying password security to all devices and ensuring the IT team can block devices if necessary.
  4. Using multi-factor authentication especially for off-site users connecting remotely or for password resets.
  5. Applying encryption to devices including mobile devices.
  6. Ensuring remote users are using secure VPNs to connect and do so from a secure Wi-Fi,
  7. Using End to End Encryption for passwords transiting your IT network.
  8. Ensuring users can be removed from all systems when necessary.
  9. Testing regularly the access control policy is actually operational in the organisation.
  10. Data Controllers implementing contracts with Processors where technical and operational measures and requirements are detailed.

Alternatives to  Passwords

There are alternatives to passwords. These can include methods such as:

  • Voice recognition
  • Smartcards
  • Smartphone activation codes
  • Fingerprint, iris or facial recognition
  • Password managers

While some of these alternatives are straightforward others such as Voice, Fingerprint. Iris or Facial recognition are classified as Biometric data (a special category of data under GDPR) and carry additional safeguards, therefore in an employer-employee context the employer would have to have compelling grounds to use them as employees may view them as being excessive and a non-justifiable invasion of privacy. This is a discussion which will evolve as passwords are targeted by phishing attempts and there is an argument that biometrics are much more secure.

The current best practice is to use a password manager like Bitwarden.

Strong Passwords Keep Personal Data Safe

Although the GDPR does not specifically mention passwords, the requirement for a strong password management policy in any organization would fall under the GDPR requirement to implement “appropriate technical and organisational measures” in order to keep personal data safe and secure.

Related GDRP Articles

GDPR Checklist


GDPR Email Requirements

GDPR Training

GDPR Requirements

GDPR Data Backup Requirements


Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Michael Cryan

Michael Cryan has a deep understanding and expertise in the General Data Protection Regulation (GDPR), Michael is the go-to authority when it comes to navigating the complexities of data protection. As a certified Data Protection Officer (DPO), Michael possesses in-depth knowledge of GDPR requirements and its practical implementation across various industries. His meticulous approach and attention to detail ensure that organizations can safeguard sensitive information and maintain the highest standards of data privacy. His comprehensive understanding of the regulation enables him to provide invaluable insights and guidance to organizations seeking compliance. You can connect with Michael via LinkedIn. <a href="

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy