While the GDPR has been in place for several months, the ICO kicked off the new year by updating their data protection guidance with more details in the realm of encryption and password practices. Here are the highlights:
- All organisations should possess a proper encryption policy, detailing the use of encryption and outlining associated staff training protocol. The policy should include these standards:
- Encryption must be included in company risk assessments.
- The planned encryption method should meet standards such as FIPS 140-2 and FIPS 197.
- Personal data should be transmitted within an encrypted communication channel over any untrusted networks.
- The ICO emphasises that businesses with an effective password system possess these qualities:
- The system needs a proper hashing algorithm. Never store passwords in plaintext.
- All login pages require HTTPS protection. Limit available login attempts.
- Users must create a password with more than 10 characters.
- Two-factor or multifactor authentication should be available as needed.