The Conference of the Independent Data Protection Authorities of the Federal and State Governments (DSK, Data Protection Conference) is a frame that offers with and feedback on modern statistics protection problems in Germany. One of DSK’s principal duties is to achieve uniform utility of European and countrywide statistics safety regulation. Although DSK resolutions and statements are non-binding, they need to simply be taken into account via facts protection managers while transposing the statutory provisions, as these resolutions and statements specify an additional element the supervisory authorities’ perspectives on facts protection problems.
On April five, 2019, the Data Protection Conference “Technical and Organizational Data Protection Issues” Working Group published an orientation guide on measures to be taken by way of online services with admire to at easy access. The report is geared toward providers of online offerings which might be processing private information of customers. Such agencies fall beneath the provisions of the GDPR and should, therefore, comply especially with the provisions on the safety of processing (Article 32 GDPR). This includes measures to at ease get right of entry to to the offerings. In the opinion of the data protection supervisory government, the measures described in the file correspond to the state of the art and guarantee powerful protection of users’ personal records.
The following measures are defined inside the orientation guide:
measuring and showing password electricity
forcing password trade best in unique cases
method for managing failed login tries
coping with compromised offerings
relaxed password reset
encrypted transmission of passwords
encrypted storage of passwords
securing password databases towards unauthorized get admission to
training of personnel
presenting -thing authentication
separation of authentication and user records
information approximately password supervisor
security as an incorporated project
In addition to the aforementioned measures, DSK expressly refers to the hints of the Federal Office for Information Security (BSI) in the IT Baseline Protection Compendium on Identity and Authorization Management (which includes Basic Requirement ORP.Four.A8 “Rules on password use” or ORP.4.A11 “Resetting passwords”).
The currently published orientation manual is to be especially observed by means of online service companies because the Bavarian Office for Data Protection Supervision, as the supervisory authority, already examined at the start of February how internet site operators are handling their customers’ passwords (link to the exam of the Bavarian Office for Data Protection Supervision 20 very popular online services in Germany – ranging from social networks to video streaming portals and online shops – have been reviewed more carefully. The authority discovered that none of those services require robust passwords from their users and often even very weak passwords such as “123456,” “password,” or maybe “0000” are viable. Additionally, most effective a smaller variety of offerings offered additional security measures and help to shield the debts. It is consequently more than probably that the supervisory authorities will retain to pay attention to the ensuring of relaxed get admission to to the offerings and could perform appropriate tests. In this context, the supervisory government is looking forward to the implementation of sufficient measures to at easy access.