ICO guidance on encryption and passwords under GDPR

The information commissioner’s office (ICO) on 1st November 2018 updated its GDPR guidance in relation to the use of On 1 November 2018 the Information Commissioner’s Office (ICO) issued new guidance in relation to the use of encryption and passwords as security measures.

Article 32 of the GDPR allows for the encryption of personal data as a possible way of enforcing effective technological and organisational steps. However, the use and distribution of passwords is not explicitly specified in the GDPR.


The ICO has published guidance on encryption and passwords under GDPR as part of its GDPR guide and they are as such:-


Information commissioner’s office says that all the companies should have an encryption policy and it also provide full explanation of what encryption is and how it can be implemented.  It also includes guidelines to assist employee training in relation to the use of encryption. ICO states that when enforcing the encryption requirements, companies much follow the correct algorithm, key size, software, and they should also ensure that the key is kept safe and secure. It is also mandatory to perform encryption test on a regular basis to ensure that they remain appropriate. It is also said by ICO thatwhile transmitting the personal dataan organization should useencrypted communications channels over an un trusted network. The ICO added that, under some cases , companies could be subject to regulatory action if unencrypted data is lost or destroyed.


The GDPR notes that, in general, personal data must be adequately secured and that it does not explicitly address the use of passwords as a security measure. According to the latest ICO Guide, a successful password scheme is capable of defending against two kinds of attacks: it should be as difficult as possible for attackers to access encrypted passwords, and it should defend against brute force or guessing techniques.

It also states that:-

  1. Password should only be used when necessary.
  2. Higher degree of security is mandatory where required.
  3. An effective hashing algorithm should be used and passwords shall not be stored in plain text.
  4. For the login pages HTTPS or an equivalent level of protection is required.
  5. The length of password should not be less than 10 characters and the system should allow the use of special characters so that password can be strong.

Conclusion Although the ICO Advice is not compulsory, enforcement is strongly encouraged when implementing an encryption or password process.

Leave a Comment

Your email address will not be published. Required fields are marked *