GDPR Password Requirements: What Article 32 Actually Demands

What GDPR actually says about passwords

GDPR does not specify a minimum password length. It does not mandate two-factor authentication. It does not reference specific encryption algorithms for stored credentials. What it requires, under Article 32, is "appropriate technical and organisational measures" to ensure a level of security "appropriate to the risk."

That vagueness is intentional — the regulation is designed to be technology-neutral and future-proof. But it creates a genuine compliance challenge: how do you demonstrate that your password controls are "appropriate"?

Article 32: what it requires

Article 32(1) requires controllers and processors to implement measures including "pseudonymisation and encryption of personal data" and "the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems."

For authentication systems specifically, this means:

• Passwords must be stored as cryptographic hashes, not plaintext or reversible encryption
• The hashing algorithm must be current and appropriate (bcrypt, Argon2, scrypt — not MD5 or SHA-1 alone)
• Password policies must be proportionate to the sensitivity of the data being protected
• Breach detection and response must be in place (Article 33 requires 72-hour breach notification to supervisory authorities)

What "appropriate" means in practice

The EDPB (European Data Protection Board) and national supervisory authorities have provided guidance that makes the standard more concrete. For most systems handling personal data:

• Minimum 8 characters is the floor for low-sensitivity systems; 12+ for systems handling special category data
• Passwords should be checked against known-breached credential lists (NIST 800-63B recommendation)
• Multi-factor authentication is "strongly recommended" for systems processing sensitive personal data — not technically mandatory, but its absence will be scrutinised in a breach investigation
• Account lockout or rate limiting to prevent brute-force attacks

Where UK-GDPR diverges post-Brexit

UK-GDPR (the post-Brexit version) is substantively identical to EU GDPR for most purposes, including Article 32. The ICO (Information Commissioner's Office) applies the same "appropriate measures" standard. The practical difference: UK organisations report to the ICO, EU organisations report to their local supervisory authority.

GDPR and the breach notification requirement

If your organisation suffers a credential breach, GDPR requires notification to your supervisory authority within 72 hours of becoming aware. If the breach is "likely to result in a high risk to the rights and freedoms of individuals," you must also notify affected individuals without undue delay. Having strong password controls (hashing, MFA, breach detection) is relevant context that supervisory authorities will consider when determining whether a fine is appropriate.

Practical steps for GDPR compliance

• Use PassGeni's Password Policy Generator to create a documented policy — having written policy is itself a compliance signal
• Ensure passwords are hashed with bcrypt, Argon2id, or scrypt with an appropriate work factor
• Implement MFA for any system with access to personal data
• Log and monitor authentication attempts for anomaly detection
• Check employee credentials against breach databases periodically