Wednesday, 21 November 2018

New GDPR guidance published by the ICO about passwords and encryption under the GDPR

Passwords in online services

At a glance

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.

Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing.

You should consider whether there are any better alternatives to using passwords.

Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.

There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.


At a glance

The GDPR requires you to implement appropriate technical and organisational measures to ensure you process personal data securely.

Article 32 of the GDPR includes encryption as an example of an appropriate technical measure, depending on the nature and risks of your processing activities.

Encryption is a widely-available measure with relatively low costs of implementation. There is a large variety of solutions available.

You should have an encryption policy in place that governs how and when you implement encryption, and you should also train your staff in the use and importance of encryption.

When storing or transmitting personal data, you should use encryption and ensure that your encryption solution meets current standards.

You should be aware of the residual risks of encryption, and have steps in place to address these.

Visit the ICO at

Contact Chapter Three Consulting by calling 0330 004 0020 or email us at