GDPR Learning Hub

Menu
  • Take quizzes
  • Download guides
  • Buy courses
  • Buy Templates
  • Website is under construction

GDPR

Password procedures for employees

We live in an increasingly digitalized society, where virtually all employees at companies need access to various systems that require passwords for access. Therefore, it is good to have password procedures for employees, to regulate password management. 

The purpose of establishing password procedures for employees

Strong passwords provide a good basis for protecting the personal data processed from unauthorized access. Strong passwords are often considered the first line of defense. Here are some purposes for establishing password procedures for employees: 

  • Ensure that all employees’ passwords to the company’s digital systems maintain a high level of security and quality. 
  • Clarify to all employees how to manage their passwords, so that the risk of intrusion is reduced. 
  • Protect the company’s password-protected systems from unauthorized access to content.
  • Help the company to ensure compliance with the principle of integrity and confidentiality in Article 5(1)(f) of the GDPR. 
What breaches of the GDPR can lead to an administrative fine?

Companies need to prevent personal data breaches

Companies shall prevent personal data breaches by taking appropriate technical and organisational security measures. Many data breaches occur due to weak password management. That’s why it is good to establish password procedures for employees and make sure they use strong passwords. In addition, the company should establish an overall password policy.

Policy and procedures are not the same thing

It can be easy to confuse the difference between a policy and a procedures. A policy is an overall policy document in which the company describes what applies, the goal, the principles they work according to and the strategic direction. Instead, a procedures is instructions that describe what employees should do practically to achieve the goals in the policy. It may be appropriate in some cases to have several procedures for following a policy. 

Helps employees know how to protect their accounts in their work role

It is the employees of the company who work with processing personal data on a daily basis. Therefore, it is important that they are given the right tools to be able to do so in accordance with GDPR. For example, the employer should provide them with appropriate information, such as about proper password management by establishing written internal password procedures for employees. 

Password management when processing important personal data

When processing important personal data in digital systems, such as sensitive personal data or other privacy-sensitive personal data, it is a good idea to either implement login through two-step authentication or biometric data (such as fingerprints or facial recognition). 

Two-step authentication to systems with sensitive personal data

It is good for companies to have two-step authentication when logging in to systems that contain sensitive personal data. The same applies if other privacy-sensitive personal data are processed in the system. An example of two-step authentication is that a code is sent to the user's mobile phone number registered in the system, when the user tries to log in with a password. In this way, it can prevent any unauthorized person, who accesses the password, from entering the system.

Biometric personal data login

It may be appropriate to have a login via biometric personal data in certain cases. Examples of processing biometric data are when logging into systems through fingerprints, facial recognition or iris reading. If the authorised user has to use one of their biometric personal data to log in to the system, it is difficult for unauthorised persons to access the system. Please note that biometric personal data constitute sensitive personal data within the meaning of Article 9 of the GDPR.

What can a password procedures contain?

Strength requirements

It is important to include strength requirements to make it easier for employees to know whether or not they have chosen a sufficiently secure password. For example, passwords should contain at least 15 characters, including upper and lower case letters, special characters, etc. In addition, it is good to prohibit passwords that are too easy to guess, and those that are linked to the employee's personal information, such as name and date of birth.

What is the definition of anonymised data?

Password changes

Changing passwords is not uncommon and it is therefore important to regulate it. For example, when passwords should be changed (such as suspicion of exposure) and how it should be updated internally, so that other employees who need access to the password, get it.

Sensitive personal data according to GDPR

Prohibition

It is important to clarify what is prohibited, so that it is easy for employees to understand the prohibitions. For example, multiple people may not use the same account or share a user account, unless explicitly authorised by the employer.

Subjektivt integritetskänsliga personuppgifter

Multi-factor authentication

In some cases, it may be useful to have multi-factor authentication, such as when logging in to systems with important personal data. It is good to clarify when this is appropriate to activate. Please note that this is one of the most effective security measures the company can take to protect accounts from being hijacked.

Measures that companies need to take to comply with GDPR

Storage and protection

It is important to store the personal data in a sufficiently secure manner. For example, there are various digital services that offer smooth password management through encrypted methods. Remember not to write down passwords in combination with usernames in unprotected locations, post-it notes in the office or the like.

What is the definition of anonymised data?

Mobile devices

Mobile devices are common in companies and it is not uncommon for them to be used to process personal data. In such cases, it is important to have adequate protection. Biometric authentication may be appropriate, especially if there is sensitive personal data stored within the mobile device (such as a mobile phone or work laptop).

Reset

In some cases, employees may need to reset their password. In such cases, it is useful to regulate how identification occurs and the rules for sending recovery links.

Subjektivt integritetskänsliga personuppgifter

Suspicion of exposure

It is important that employees know how to act in the event of a suspicion of password exposure. For example, changing the password immediately, documenting it and, if possible, including a description of how the exposure has been able to occur, as this can help the company prevent similar events in the future.

Sensitive personal data according to GDPR

Education

It is good to clarify in the internal password procedures that all employees should take appropriate measures to protect their passwords. In addition, it is good to include that new employees should receive training in the onboarding process. For example, how to prevent becoming a victim of phishing scams.

Learn more

Privacy Policy is another policy that may be useful to establish

A privacy policy is an internal governance document that helps employees at the company know how to act in accordance with the GDPR. It is not the same as a privacy notice, which is addressed externally to data subjects. Instead, a privacy policy helps to create a good structure within the company’s data protection work, which can help the company and employees to comply with the rules of GDPR.

Want to learn more?

Read more
Scroll to Top