ICO guidance on encryption and passwords under GDPR

The ICO has updated its GDPR guidance to give advice on compliant use of encryption and passwords to protect personal data.

What's the issue?

Under the General Data Protection Regulation 2016 (GDPR), personal data must be processed "in a manner that ensures appropriate security of personal data including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures". What does this mean? The GDPR goes on to state that what is "appropriate" in this context should take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

Cutting through the verbiage, what this means is it is up to data controllers and processors to assess the best ways, on balance, to protect the personal data they process. There are some technical standards and industry-specific standards which may help (or may be mandatory) but as with so much of the GDPR, it is up to those processing the data to take a risk-based approach.

What's the development?

The ICO has published guidance on encryption and passwords under GDPR as part of its GDPR guide.

Encryption

The advice around encryption relates mainly to the requirement to set it appropriately to the level of risk or sensitivity of the data. Emphasis is placed on having an encryption policy in place and training staff. Sector-specific guidance should be considered. Encrypted communications channels should be used. Four things should be considered when implementing encryption: choosing the right algorithm, the right key size, the right software, and keeping the key secure. Solutions should be regularly reviewed to ensure they provide adequate protection and they meet current standards.

Online passwords

The GDPR does not have rules on passwords but personal data must be appropriately protected. The ICO says that what is appropriate should take into account the state of technological development and the cost of implementation, should be reviewed periodically, and be robust against evolving threats.

Passwords should only be used where appropriate – higher levels of security may be required. A good password system should make it as difficult as possible for attackers to access stored passwords in a useable form and should protect against attackers using brute force or guesses. It should not, however, place an undue burden on individuals either to remember the password or to make sure the account is secure. A suitable hashing algorithm or other mechanism offering similar protection should be used. System architecture must prevent leaking of passwords. Login pages should be protected with https and hashing should be carried out server not client side.

Users should not be prevented from pasting passwords. A suitable password length should be set but not a maximum length unless absolutely necessary. Special characters may be used but should not be mandated. Password blacklisting is a good way to prevent the use of predictable passwords. There should be no other restrictions on how to create a password. Expirations should only be used if they are absolutely necessary for particular circumstances as they lead to users selecting weak passwords. Password reset credentials should be limited and one-time links should be used. The number of incorrect login attempts should be rate limited or throttled but should not be too low. Some attackers will deliberately work within selected limits. Other methods of preventing attacks such as the use of CAPTCHAs, whitelisted IP addresses and time limits or delays after failed login could be used. A risk-based approach to authentication should be used. In some cases, it may be appropriate to request a second authentication which may be through biometrics or a one-time token, for example. Procedures should be put in place to deal with breaches.

What does this mean for you?

Much of the advice from the ICO is unlikely to be new to sophisticated IT departments but a key take-home should be the requirement to keep systems under regular review and ensure that they develop as new threats emerge or as data processing functions change.

It is interesting to see that the ICO very much takes user experience into account when providing guidance on passwords. The vast majority of us are guilty of using the same or similar passwords across a range of applications and websites, or of using obvious passwords. In an era where we are unlikely to know more than one or two phone numbers off by heart, remembering a multitude of passwords will not come easily to the majority of us. It is also interesting that the ICO is against the current trend of making the inclusion of special characters or at least one number mandatory.

Businesses need to determine for themselves what sorts of encryption and password systems to use, but whether they relate to employees or customers, it is not simply the case that the most technically complex solution will be the most suitable.