How to create a GDPR-compliant password policy

The General Data Protection Regulation (GDPR) came into existence in the European Union (EU) in May 2018. However, the rules extend to any company engaging in business with EU residents, even though they do not maintain a local presence. Like other data protection laws, GDPR is also unclear when it comes to how to implement a compliant security policy. For example, there is no mention of passwords, but they require a high degree of security over personally identifiable data. The processes for accessing these data must take all appropriate steps to ensure enforcement, as negligence is not a legitimate excuse for failing to protect consumer data.


A strong password should be difficult for a computer to guess by trying every possible combination of characters. The longer the password and the larger the character set, the longer it would take to crack. It should be always alpha numeric along with some special characters like symbols.

Define a strong password

Personal details should be prohibited – the most difficult part of preparing a compliant password policy is always making the correct comparison between what’s memorable and what’s safe. Few people want to write a password to prevent losing it, which is a very bad idea. Some users often use the name of their birthday, pet name and other family members as a password that is again incorrect. It is also noticed that cyber criminals check certain kinds of passwords while checking details on social media. Train your staff about the risks of using personal details as passwords.

Single sign on implementation – It is common for people with multiple accounts on different sites to use different passwords. And they can forget about those passwords. In the workplace, in particular, it makes sense to incorporate a single sign-on function that allows workers instant access to any device they need to do their job. Administrators should further control access privileges to ensure that they comply with the concept of least privilege. Single sign-on does not mean giving access to all your company’s info.

Don’t enforce regular resets– The US Federal Trade Commission is now proposing that workers should not be required to update their passwords regularly. Instead, this should only be appropriate if the service has identified a possible violation of data.

Use multi-factor authentication- Multi-factor Authentication (MFA) is another powerful method to incorporate in your company. This includes using more than one way of checking the identity of the individual. This works on top of the current password of your employees, so it serves as an extra level of protection.

Leave a Comment

Your email address will not be published. Required fields are marked *