The General Data Protection Regulation (GDPR) has been in effect for approximately two years now. However, there are many confusing areas of the regulation. One of those confusion areas lies with the use of passwords and the development of a GDPR-compliant password policy.

In this article, we’ll discuss what GDPR is and how compliance works. We’ll also highlight the importance of aligning your password policy with GDPR.

What Exactly is GDPR

GDPR is a regulation giving guidelines to businesses that collect data from the citizens of the European Union (EU). 

The law applies to an organization that does business with citizens of the EU or that attempts to solicit the business of citizens in the EU. 

There are stipulations on how the data can be collected and used. The regulation also discusses requirements for the protection of the collected data. Citizens of the European Union are also given certain rights when it comes to the disposal of the data that has been collected regarding them and their online activity. 

It is important to be compliant with this law because there are stiff monetary penalties for not complying with the regulations.

Because of this, organizations must show a justifiable reason for collecting the data. They must also have mechanisms in place to protect the data. 

One of the best practices for data privacy is creating a GDPR-compliant password policy.

The Impact of the GDPR

The GDPR applies to any company in the world that wishes to conduct business within the European Union. This spans a wide range of businesses from commerce to higher education. 

The regulation applies to businesses within the EU if the data is going to be stored or used outside of the EU.

It also applies to organizations outside of the EU if the organization offers goods or services to the EU citizens. 

An e-commerce site in the US selling merchandise to citizens of the EU is subject to this law. The GDPR also states that any organization that monitors its online behavior is subject to the regulation. 

The internet put many organizations in the arena of being subject to the GDPR. For example, a teenager in Europe could easily order a gift for a friend in New York and have it delivered to their friend’s house. 

This would make the online company that fulfilled that order subject to the GDPR and its provisions. The company would have been seeking to do business in the European country by creating ads. This includes pricing in various currencies or utilizing other ways to cater to European customers and enticing them to place orders.

Companies that monitor their online behaviors are also subject to GDPR regulation. 

Such companies regularly use tools such as cookies and IP address tracking. These tools track the number of visitors to their website and the search trends of these potential customers.

If visitors from the EU country browse sites that have a parent company in another county, it could put that company on notice to the regulators of the GDPR and possibly make them subject to the provisions of the GDPR.

There are some exceptions to these GDPR compliance rules.

The GDPR does not apply to personal or normal household activity.

So, if you are collecting some data such as emails and addresses for a personal function (such as a wedding or baby shower), you will not be subject to data privacy requirements. Organizations with fewer than 250 employees may also not be subjected to the GDPR.

Never compromise security
for convenience, choose both!

Passwords and GDPR

The GDP does not specifically address the concepts of passwords in the regulation. 

But, this does not mean there are no requirements in the GDPR that pertain to the use of passwords or having a password policy. 

Adhering to GDPR prevents the unlawful access to personal data, the abuse of personal data, and the transfer of personal data.

Passwords are an important part of ensuring that this is possible. 

The GDPR also states the handling of personal data in a manner that ensures security and confidentiality of personal data and data privacy. Passwords and having a password policy are one way that organizations ensure GDPR compliance.

Unfortunately, the GDPR is very vague when it comes to the exact requirements of a compliant password policy. 

It states that ignorance will not be an excuse for failing to protect data. With this in mind, organizations are going to have to interpret the regulations.

This includes the use of industry best practices for data privacy when it comes to creating a GDPR-compliant password policy.

GDPR-Compliant Password Policy

The first thing organizations will need to do is define what a strong password looks like according to their policy. They should put guidelines in place to create a password that is difficult to hack with a brute force attack.  

The passwords should have multiple characters such as letters, numbers, and symbols. There should also be a requirement to use capital and lowercase letters. The policy should also encourage the creators not to write down passwords.

Password policies should also discourage the use of personal information. People often use memorable things such as birthdays, the names of children, and pet names for passwords. Astute cyber-criminals can search social medial profiles and obtain this information and use it to hack accounts.

One method to improve the effectiveness of passwords and password policies is the use of multi-factor authentication (MFA). 

MFA requires that a user has a second method to authenticate or confirm their identity when attempting to log in or complete a transaction on an organizational website. 

It combines the use of a password with another credential such as a token sent to a cell phone, a numeric code sent to an email, or biometric verification such as a fingerprint swipe.

Most cybercrime cases involve weak and compromised passwords. Organizations can utilize multi-factor authentication services like those offered by Teamstack to improve an organization’s security.

The Bottomline

This article only provides a glimpse into the intricacies of complying with the provisions of the GDPR. Businesses and organizations concerned with GDPR compliance should consult with professionals in the data privacy and legal fields. This will help ensure they have well thought out and developed policies.