What is required under the GDPR?
The latest guidance from the ICO (Information Commissioner’s Office) could be relevant to anyone operating a website (whether it’s using WordPress, WooCommerce, Drupal or numerous other content management systems.
If your website allows users to log in, whether it’s staff, volunteers, customers, or the general public, the new guidance needs to be considered.
Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures.
‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’
This is the GDPR’s ‘integrity and confidentiality’ principle, or, more simply, the ‘security’ principle. So, although there are no provisions on passwords, the security principle requires you to take appropriate technical and organisational measures to prevent unauthorised processing of personal data you hold.
Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing and you should consider whether there are any better alternatives to using passwords. Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.
There are a number of additional considerations you will need to take account of when designing your password system, such as the use of an appropriate hashing algorithm to store your passwords, protecting the means by which users enter their passwords, defending against common attacks and the use of two-factor authentication.
Detailed information can be found on the ICO website or get in touch if you’d like any help applying the guidance to your website.