The Information Commissioner's Office ("ICO") has updated its GDPR guidance ("the Guidance ") in order to include security guidance that focuses on encryption and passwords, in the context of taking appropriate technical and organisational security measures (as required by Article 32 of the GDPR):


The ICO suggests that all organisations should have an encryption policy in place, which will govern the use of encryption and will include guidelines to assist staff training in relation to the use of encryption.

In addition, the organisations must ensure that the planned encryption solution meets current acceptable standards, such as FIPS 140-2 and FIPS 197. Organisations should also be aware of the residual risks of encryption (e.g., by conducting a data protection impact assessment), and take steps to address such risks.

The ICO has stated that when implementing the encryption requirement, organisations shall choose the right algorithm, key size, software and ensure the key is kept secure. All encryption methods shall be regularly assessed in order to ensure that they remain appropriate.

The Guidance also addresses the transmission of personal data, and suggests that organisations use encrypted communications channels when personal data is transmitted over an untrusted network. The ICO added that in some circumstances, organisations might be subject to regulatory action if unencrypted data is lost or destroyed . Here is an example of a recent enforcement measure taken in Germany for a similar reason.


The GDPR states that, in general, personal data must be appropriately protected and does not specifically address the use of passwords as a security measure. According to the ICO's new Guidance, a good password system is able to protect against two kinds of attacks: it should be as difficult as possible for attackers to access stored passwords, and it should protect against brute force or guessing techniques.

The Guidance also includes the following issues and recommendations:

  • Passwords shall be used only when appropriate. Sometimes a higher level of protection will be required;
  • The system should use an appropriate hashing algorithm. Passwords must not be stored in plaintext;
  • Login pages must be protected with HTTPS, or an equivalent level of protection;
  • Password length should be not less than 10 characters; the system should allow the use of special characters, but should not mandate it, and users should not be allowed to choose common or weak passwords;
  • Limitations should be imposed on login attempts; and
  • The organisation should consider implementing two-factor or multifactor authentication wherever appropriate.

Although the ICO's Guidance is not binding, compliance is strongly recommended when implementing encryption or password mechanism. We would be happy to provide further advice and recommendations concerning the new ICO's Guidance .

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.