How to create a GDPR-compliant password policy

How to create a GDPR-compliant password policy

If you've ever done business with companies in European Union countries, there’s a good chance your company had to comply with the EU’s General Data Protection Regulation (GDPR). The GDPR was implemented back on May 25, 2018, and it helps customers gain a greater level of control over their data while offering more transparency throughout data collection and use.

A significant portion of the regulation concerns the privacy of individuals and how to safeguard their data from unauthorized access. To do this, however, businesses must utilize an effective password policy. While passwords aren’t explicitly mentioned in the GDPR, a portion of it calls for a “high level of protection of personal data.” It also states that “personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including preventing unauthorized access to or use of personal data”.

For all kinds of companies, including small- to medium-sized businesses (SMBs), passwords are an effective method of securing data. Here are some things to remember when building your GDPR-compliant password policy:

#1. Use strong passphrases

Using a weak password exposes data to brute force attacks, a trial-and-error method used by cybercriminals to obtain information. Sadly, some people still choose passwords such as “123456,” “qwerty,” “letmein,” and “passw0rd” even today.

Requirements for a strong password typically include upper- and lower-case letters, numbers, and special characters. However, the National Institute of Standards and Technology (NIST) is recommending to move away from this, as these guidelines can be quite difficult to remember.

They are now suggesting the use of passphrases, or a password composed of a sentence or a combination of words, such as “correcthorsebatterystaple” or “iknewyouweretroublewafflE5623”. Ideally, these will be much easier for users to remember, instead of complex passwords that make no sense.

#2. Reset passwords when breaches happen

The NIST’s new password guidelines no longer require users to reset a password after a certain period. Instead, businesses are advised to only require a password reset in the event of a data breach.

Remind your employees that this does not mean simply adding a special character or number to their existing passwords, as this defeats the purpose of resetting them to keep their data secure. They have to come up with a new string of text completely unrelated to the one before.

#3. Use multi-factor authentication

Another efficient system to implement in your organization is multi-factor authentication (MFA). This involves the use of more than one means of verifying the identity of a user. This works on top of your employees’ current password, so it acts as an extra level of security.

For example, when your employees enter their password, they will also be sent a four-digit code to their smartphone, and then be prompted to enter it to verify their identity. This technology makes sure that it really is the owner signing in and not an unauthorized third-party entity. While not infallible, the risk of account breaches when MFA is activated is relatively lower than simply using passwords.

#4. Make use of password managers

A GDPR-compliant password policy should also cover the storage of passwords. Password managers are one of the best ways for your employees to improve their online security without sacrificing their browsing experience. Businesses can benefit from these services because they help prevent the loss of productivity caused by forgotten passwords and time wasted in recovering them.

By using a password manager, a user just needs to memorize a single passphrase that will serve as the master password, and all other passwords will be kept in a secure system.

With Dyrand’s Complete IT Services, your IT operations will be streamlined to ensure flexibility, scalability, and security. We provide all the hardware, software, and support, so you can sit back, relax, and worry less about your network. Sign up by calling us today!


Nicholas Drayer

Nicholas Drayer

Managing Director