The Information Commissioner's Office (ICO) has published new guidance on passwords in online services and encryption under the General Data Protection Regulation (GDPR).
The guidance refers to encryption and passwords in the context of taking appropriate technical and organisational security measures (as required by Article 5(1)(f) and Article 32 of the GDPR).
What are the main points mentioned in the guidance?
- Organisations should have an encryption policy and train staff in the use of encryption;
- Encryption should be used for storing and transmitting data; solutions should meet current standards and be kept under review;
- Organisations should nevertheless be aware of the residual risks that remain even with encryption in place and take steps to address these;
- Organisations must not forget about their password system once established, they should carry out periodic reviews;
- There may be better alternatives than using passwords; and
- When designing systems and services, organisations must have regard to a data protection by design approach and this includes for password systems.
It also includes information on:
- How to store passwords;
- How to enter passwords;
- General requirements for passwords (i.e. length and use of special characters);
- Changing passwords;
- The role of the National Cyber Security Centre and
The ICO confirms in the guidance that where unencrypted data is lost or destroyed, it is possible that it will pursue regulatory action.