The new General Data Protection Regulation (GDPR) which comes into force in May 2018 does not outlaw the use of a simple username and static password system for accessing personal data, but GDPR does state that data access procedures need to be secure.
More specifically, the law states in Article 32(1) “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” Note here both the Controller and the Processor must implement these measures. The measures listed are generic and listed in Article 32(1), the measures are
- the pseudonymization and encryption of personal data,
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services,
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident,
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
- A “Controller” under GDPR is the organisation or company which determines the purposes of the processing of personal data where a “Processor” carries out the processing of the personal data on behalf of the “Controller”. A “Processor” can further engage “sub-processors” and the “Controller” would have visibility and approval rights over these “sub-processors”.
What does this mean for Passwords?
A policy around passwords will be but one part of an overall organisational plan to keep data safe and secure alongside other measures. These other measures would include implementing an Anti-Virus and Firewall policy, an acceptable use policy, an access control policy, together with training on Malware, Phishing and social engineering.
Together with the above measures penetration testing of systems and suppliers, implementing backups and mandatory user training on IT systems are also key areas for IT security in any organisation.
Stolen or weak passwords can cause data breaches. Best practices around passwords would include;
- Forcing the use of complex passwords (Passwords having to consist of numbers, letters, and symbols) or, better again, long passphrases.
- Implementing training for users to raise awareness, highlight risks and dangers and encourage use of long passphrases.
- Applying password security to all devices and ensuring the IT team can block devices if necessary.
- Using multi-factor authentication especially for off-site users connecting remotely or for password resets.
- Applying encryption to devices including mobile devices.
- Ensuring remote users are using secure VPNs to connect and do so from a secure Wi-Fi,
- Using End to End Encryption for passwords transiting your IT network.
- Ensuring users can be removed from all systems when necessary.
- Testing regularly the access control policy is actually operational in the organisation.
- Data Controllers implementing contracts with Processors where technical and operational measures and requirements are detailed.
Alternatives to Passwords
There are alternatives to passwords. These can include methods such as:
- Voice recognition
- Smartphone activation codes
- Fingerprint, iris or facial recognition
- Password managers
While some of these alternatives are straightforward others such as Voice, Fingerprint. Iris or Facial recognition are classified as Biometric data (a special category of data under GDPR) and carry additional safeguards, therefore in an employer-employee context the employer would have to have compelling grounds to use them as employees may view them as being excessive and a non-justifiable invasion of privacy. This is a discussion which will evolve as passwords are targeted by phishing attempts and there is an argument that biometrics are much more secure.
The current best practice is to use a password manager like Bitwarden.
Strong Passwords Keep Personal Data Safe
Although the GDPR does not specifically mention passwords, the requirement for a strong password management policy in any organization would fall under the GDPR requirement to implement “appropriate technical and organisational measures” in order to keep personal data safe and secure.