New ICO guidance on passwords and encryption

    20 November 2018 | Rianda Markram

    New ICO guidance on passwords and encryption

    The Information Commissioner's Office (ICO) has published new guidance on passwords in online services and encryption under the General Data Protection Regulation (GDPR).
    The guidance refers to encryption and passwords in the context of taking appropriate technical and organisational security measures (as required by Article 5(1)(f) and Article 32 of the GDPR). 
    What are the main points mentioned in the guidance
    • Organisations should have an encryption policy and train staff in the use of encryption;
    • Encryption should be used for storing and transmitting data; solutions should meet current standards and be kept under review; 
    • Organisations should nevertheless be aware of the residual risks that remain even with encryption in place and take steps to address these;
    • Organisations must not forget about their password system once established, they should carry out periodic reviews; 
    • There may be better alternatives than using passwords; and
    • When designing systems and services, organisations must have regard to a data protection by design approach and this includes for password systems.
    It also includes information on: 
    • How to store passwords; 
    • How to enter passwords;
    • General requirements for passwords (i.e. length and use of special characters);
    • Changing passwords;
    • The role of the National Cyber Security Centre and 
    • GetSafeOnline.
    The ICO confirms in the guidance that where unencrypted data is lost or destroyed, it is possible that it will pursue regulatory action.

    This feature was written in collaboration with the lawyers at Markel Law, who regularly comment on SME related matters. You can stay up to date with the latest legal changes on the Markel Law Blog, written in plain English, so that you understand the implications that is has for you as a small business owner.

    For media enquiries, please contact: Marketing via email