This means that when you are considering a password setup to protect access to a system that processespersonal data, that setup must be ‘appropriate’.Although the UK GDPR does not define what is ‘appropriate’, it does provide further considerations in Article32, ‘security of processing’:This means that when considering any measures, you can consider the state of technological developmentand the cost of implementation – but the measures themselves must ensure a level of security appropriateto the nature of the data being protected and the harm that could be caused by unauthorised access.In other words, you cannot simply set up a password system and then forget about it – there must be aperiodic review process.What else do we need to do?You must ensure that you are aware of the state of technological development in this area and that yourprocesses and technologies are robust against evolving threats.For example, advances in processing power can reduce the effectiveness of cryptography or particular‘Processed in a manner that ensures appropriate security of the personal data, including protectionagainst unauthorised or unlawful processing and against accidental loss, destruction or damage, usingappropriate technical or organisational measures’‘Taking into account the state of the art, the costs of implementation, and the nature, scope, contextand purposes of processing as well as the risk of varying likelihood and severity for the rights andfreedoms of natural persons, the controller and the processor shall implement appropriate technicaland organisational measures to ensure a level of security appropriate to the risk.’01 January 2021 - 1.1.211244
design choices can become outdated.You must also consider whether there might be better alternatives to passwords that can be used to securea system.Article 25 of the UK GDPR also requires you to adopt a data protection by design approach. This means thatwhenever you develop systems and services that are involved in your processing, you should ensure thatyou take account of data protection considerations at the initial design stage and throughout the lifecycle.This applies to any password system you intend to use.At the same time, provided you properly implement a password system, it can be an element that can beused to demonstrate compliance with your obligations under data protection by design.Further ReadingWhat are the challenges in choosing the right authentication scheme?One of the biggest challenges you face when dealing with personal data online is ensuring that such datacan be accessed only by those with the correct permissions - in other words, authenticating, andauthorising, the individual who is trying to gain access.It is commonly accepted that there are three main ways of authenticating people to a system – checkingfor:something the individual has (such as a smart card);something the individual is (this is usually a biometric measure, such as a fingerprint); orsomething the individual knows.
Upload your study docs or become a
Course Hero member to access this document
Upload your study docs or become a
Course Hero member to access this document
End of preview. Want to read all 329 pages?
Upload your study docs or become a
Course Hero member to access this document
