Starting May 25, 2018, the European General Data Protection Regulation (GDPR) will be in force. The GDPR regulates the protection of personal data of people residing in the European Union (EU). A critical aspect of data/account protection is the security of the system being used to access data and that includes the use of passwords.
While the GDPR did not mention the word “password” anywhere in its regulations, it is deemed important because “a high level of protection of personal data” is required “to prevent abuse or unlawful access or transfer.” The law requires “appropriate safeguards,” “appropriate security” and “appropriate measures.” There’s no specific practice or technology demanded giving entities the freedom to choose how to protect personal data.
The use of passwords together with the right support systems can be considered a feasible means of ensuring security and confidentiality of data/accounts. There are no specific requirements for passwords in terms of length of password, use of characters or period of validity, but there must be support systems that would make it efficient. What are these support systems?
The password reset processes and procedures must be secure. This is critical to GDPR compliance. When clients and staff forget or need to reset their passwords, systems must be in place, so that help desk employees need not get involved and directly access passwords. A secure “self-service” reset system uses two-or multi-factor authentication to ensure that the person requesting the password reset is the real owner of the account. Commonly, an automatically generated reset code is sent to the telephone number associated with the account. Password reset is temporarily allowed for using the account name or email address and the generated code.
Other things that can be used to securely reset a password include voice recognition, smart cards and fingerprints. If the person can also provide two or more specific elements (i.e. account name, email address, telephone number, answer to secret question) to reset a password, the reset mechanism can be triggered.
Regarding the storage of passwords, the section relating to appropriate measures apply. The controller or processor should evaluate the risks inherent in the storage of passwords and implement measures to avoid risks. Passwords should be stored using standards comparable to storing data with encryption at least.
If your organization is using passwords to secure data protected by GDPR, it is recommended to use multi-factor authentication for account access and password reset. Stored passwords should be encrypted just as stored data are encrypted.