GDPR new password and encryption guidance published

The Information Commissioner’s Office (ICO) has published guidance about passwords and encryption under GDPR.

Where passwords are concerned, the guidance gives comprehensive advice on deciding whether password protection is the best option and, if so, how to secure your system against the common methods of hacking or working out passwords. GDPR says nothing specific about passwords, but they are covered under the ‘integrity and confidentiality’ principle. The advice given by the ICO covers how to set up passwords in a manner appropriate to the sensitivity of the data in question, advises on frequency of review, suggests other options to secure data, and gives a wealth of other information.

Detail is provided on the use of hashing algorithms or similar to store passwords and there are warnings of the algorithms to be avoided on account of known weaknesses. The level of protection required on login pages is covered and helpful pointers are given on what restrictions should be placed on passwords in order to achieve the security necessary without incurring the burden of forgotten passwords and frequent requests to reset them because staff struggle to recall them.

On the question of encryption, there is copious guidance on how to implement it for data processing and how to train staff in its use. It covers all of the various types of encryption in order to help data processors to decide on what is most appropriate for them, details its use in both the storage and the transfer of data, and gives up-to-date information on the current standards expected.

As with passwords helpful advice is given on the use of and, where necessary, avoidance of, specific encryption algorithms, and detail is provided on the most up-to-date software recommendations.

Have you read our downloadable guide - Cybersecurity: Understanding passwords? You can download it here