New ICO GDPR guidance: Passwords and encryption in online services and websites

What is required under the GDPR?

The latest guidance from the ICO (Information Commissioner’s Office) could be relevant to anyone operating a website (whether it’s using WordPress, WooCommerce, Drupal or numerous other content management systems.

If your website allows users to log in, whether it’s staff, volunteers, customers, or the general public, the new guidance needs to be considered.

Although the GDPR does not say anything specific about passwords, you are required to process personal data securely by means of appropriate technical and organisational measures. 

‘Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.’

This is the GDPR’s ‘integrity and confidentiality’ principle, or, more simply, the ‘security’ principle. So, although there are no provisions on passwords, the security principle requires you to take appropriate technical and organisational measures to prevent unauthorised processing of personal data you hold.

• Choosing the right authentication scheme
• What should I consider when implementing a password system?

Passwords are a commonly-used means of protecting access to systems that process personal data. Therefore, any password setup that you implement must be appropriate to the particular circumstances of this processing and you should consider whether there are any better alternatives to using passwords. Any password system you deploy must protect against theft of stored passwords and ‘brute-force’ or guessing attacks.