The Information Commissioner’s Office (ICO) has published updated security guidance on encryption and on passwords in online services under the GDPR.

The GDPR requires data controllers to implement appropriate technical and organisational measures to ensure they process personal data securely. Article 32 of the GDPR includes encryption as an example of an appropriate technical measure. The guidance suggests that:

  • Encryption is a widely-available measure with relatively low costs of implementation.
  • Data controllers should have an encryption policy in place that governs how and when they implement encryption, and they should also train their staff in the use and importance of encryption.
  • When storing or transmitting personal data, data controllers should use encryption and ensure that their encryption solution meets current standards.
  • Data controllers should nevertheless be aware of the residual risks of encryption and have steps in place to address these.

The ICO stresses that where unencrypted data is lost or destroyed, it is possible that it will pursue regulatory action.

Although the GDPR does not say anything specific about passwords, data controllers are required to process personal data securely by means of appropriate technical and organisational measures and passwords are a commonly-used means of protecting access to systems that process personal data. The guidance suggests that:

  • Any password setup implemented must be appropriate to the particular circumstances of the processing.
  • Data controllers should consider whether there are any better alternatives to using passwords.
  • Any password system that is deployed must protect against theft of stored passwords and “brute-force” or guessing attacks.
  • There are a number of additional considerations data controllers need to take account of when designing their password system, such as the use of an appropriate hashing algorithm to store the passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
  • Data controllers must not forget about their password system once established; they should carry out periodic reviews.