HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

GDPR Password Requirements

Although the text of the General Data Protection Regulation frequently refers to “appropriate safeguards”, “appropriate security”, and “appropriate measures”, there is no specific mention of GDPR password requirements. However, an appropriate GDPR password policy should be part of a Data Protection Impact Assessment.

The primary objectives of the European General Data Protection Regulation (GDPR) are to update data protection laws across the European Economic Area (EEA) and to standardize how EU member states apply the laws by creating rules relating to “the protection of natural persons with regard to the processing of personal data”. GDPR also creates rules for the free movement of personal data within the EEA, and restricts the migration of data outside of approved jurisdictions.

In order to achieve these objectives, the Regulation consists of 99 Articles and 173 Recitals. It is significant that after the first four Articles (which relate to the objectives and definitions), the first Article of any real substance stipulates that personal data shall be “processed in a manner that ensures appropriate security of the personal data” – effectively placing data security at the top of the agenda.

The wording of the text gives GDPR-covered entities a certain level of freedom about the approach they take to protect data. It also acts to somewhat “future-proof” the legislation, by avoiding naming certain technologies or practices which may become obsolete as technology progresses. Nonetheless, business have a general obligation to implement technological and organizational measures to show they have considered and integrated data protection into their processing activities.

Where Does this Leave the GDPR Password Requirements?

One of the sections of the law remarks that “measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected”. This is probably the “in a nutshell” version of the GDPR password requirements.

Importantly for our purposes, the use of passwords is not prohibited by this approach, nor are there any specific requirements mentioned e.g. minimum lengths, capital letters, numbers, maximum periods of validity/required change frequency. With the right support systems in place, passwords can be argued to ensure security and confidentiality, while remaining feasible in terms of cost and technology. What support systems would be required for this to be the case?

Why You Need a GDPR Password Policy

How passwords are stored and reset is a critical aspect of GDPR compliance. Clients and staff members may legitimately forget or need to reset passwords for a number of reasons. GDPR requirements mean that companies must be able to demonstrate that their password reset processes and procedures are secure. Systems must be in place, for example, to prevent help desk employees that may be involved in resets from directly accessing passwords.

Perhaps the optimum way to ensure this is through the use of a secure “self-service” reset system. These systems can make use of two- or multi-factor authentication to check that the person requesting the reset is the legitimate owner of the account. A common method to implement this for online services is to transmit an automatically generated reset code to the telephone number associated with the individual account name. If used within a certain period of time, this then opens a temporary window when a password reset may occur using the account name or email address.

Other “external” factors which can be used alongside the user’s identification to securely reset a password may be voice recognition, fingerprints, or smart-cards. If the person requesting the reset can show they have two or more specific elements – such as knowledge, a possession, or something inherent to the user and only the user – that only the account holder should have, then the password reset mechanism can be triggered.

In our example above, these specific elements would be the account name/email address and access to the user’s pre-registered telephone. While there is a risk of a third party gaining both knowledge of the account name/email address and possession of the legitimate user’s telephone, it can be considered to be low enough (for now) that this form of password reset can be reasoned to be quite secure. The temporary nature of the reset code and reset window add to the security. As extra layers or factors are added, the safety of the account is increased.

How passwords are stored is not directly addressed. The previously quoted sections relating to appropriate measures still apply. It is also mentioned that “in order to maintain security and to prevent processing in infringement of [the GDPR], the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption”.  From this, we can infer that passwords used to access data should be stored to standards that are comparable to storing them as encrypted data, at a minimum.  A password manager such as Bitwarden is therefore essential for GDPR compliance.

Should your organization choose to use passwords as a security measure for data protected by GDPR, we advise the use of multi-factor authentication for identification and password resets, as well as encrypted storage of data and passwords.