On 1 November 2018 the ICO published new guidance on passwords in online services and encryption under the General Data Protection Regulation (GDPR).
Although the GDPR does not say anything specific about passwords, the ‘security’ principle which is enshrined at Article 5(1)(f) requires personal data to be processed securely by means of appropriate technical and organisational measures to prevent unauthorised processing of personal data.
The guidance states that:
- Organisations must not forget about their password system once established and they should carry out periodic reviews.
- There may be better alternatives than using passwords.
- When designing systems and services, organisations must have regard to a data protection by design approach (as per Article 25 of the GDPR) and this applies to password systems.
The guidance also provides some helpful advice as to, for example, choosing the right authentication system and requirements for passwords in terms of length and use of special characters. Interestingly, the ICO suggests that regular expiry of passwords can cause a strong password to be replaced with a series of weaker ones and therefore it may be better to create a strong password which is only changed if necessary.
The ICO has reported numerous incidents of personal data being subject to unauthorised or unlawful processing, loss, damage or destruction, which in many cases may have been reduced or avoided had the personal data been encrypted. In addition, Article 32 specifically refers to encryption as an example of an appropriate technical security measure.
The guidance suggests that:
- Organisations should have an encryption policy and train staff in the use of encryption.
- Encryption should be used for storing and transmitting data, solutions should meet current standards and be kept under review.
- Organisations should nevertheless be aware of the risks that remain even with encryption in place and take steps to address these.
The ICO has confirmed that it may pursue regulatory action where unencrypted data is lost or destroyed and given the guidance refers to encryption as widely-available and low cost, the ICO may not take a particularly lenient approach for failures to implement appropriate systems.
Whilst the guidance is a good starting point, businesses must consider whether a higher level of security is required given their particular circumstances. They must also monitor, and react to, technological developments in this area and ensure that the processes and technologies employed are robust against evolving threats.