What are the Requirements for Using Passwords Under the GDPR?

Beginning May 25, 2018, the European Union (EU) General Data Protection Regulation (GDPR) was enforced. The GDPR oversees the security of private data of individuals living in the EU. A crucial element of data/account security is the reliability of the system for data access including the usage of passwords.

Although the GDPR did not say the term “password” in its rules, it is considered vital because a high degree of security of personal data is needed to avoid misuse or illegal access or transfer. The legislation calls for proper safeguards, adequate security and suitable measures. There is no particular practice or technology required hence entities have the freedom to pick how to secure personal information.

Using passwords along with the correct support systems may be regarded as a manageable method of ensuring the safety and privacy of data/accounts. There are no precise prerequisites for passwords when it comes to password length, using characters or length of validity, yet there should be support systems that will make it effective. What support systems are necessary?

The password reset procedures need to be protected. This is vital to GDPR compliance. Whenever clients and staff fail to remember or must reset their passwords, systems should be set up, so that the involvement of a help desk staff is not necessary and straightaway the passwords can be accessed. A safe “self-service” reset system utilizes two-or multi-factor authentication to make sure that the individual asking for the password reset is the actual account owner. Generally, an account holder receives an automatically created reset code to the telephone number linked to the account. Password reset is for the time being allowed for use with the email address or account name and the created code.

Other ways that may be utilized to safely reset a password are voice recognition, fingerprints and smart cards. If the individual could likewise give two or more particular information (i.e. account name, telephone number, email address and answer to secret question) to reset a security password, the reset system may be brought on.

Concerning the safe-keeping of passwords, the department related to security controls are important. The controller or processor must assess the risks associated to keeping passwords and implementing controls to prevent risks. Passwords ought to be kept using criteria equivalent to storing data utilizing encryption at the least.

In case your company is making use of passwords to protect data stored by GDPR, it is suggested to make use of multi-factor authentication to access the account and reset the password. Stored passwords must be encrypted in the same way as stored information are encrypted.