There are no specified requirements in the General Data Protection Regulations (GDPR) regarding passwords. This is not necessarily the good news that it might seem initially. If there were detailed requirements then all you would have to do is to conform to them and everything would be fine. The lack of precision means that critical decisions are left to you.
Article 5(1)(f) says, in brief, that you should ensure appropriate security of personal data. It then lists the various aspects that you have to consider. Read the complete Article here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/principles/
Given that it is one of the five principles of processing personal data, anyone who has anything to do with email marketing lists should have it displayed on their office wall.
The most common method of securing personal data is with passwords. Modern systems appear reassuringly complex so it is all the more bewildering that so many have shown themselves vulnerable to attack.
The GDPR requires that any system is ‘appropriate’, the word being defined in Article 32. It should be read and understood, but to précis the important points, when judging whether a security system is adequate, you should take into account the current risk level and the likely sophistication of attack methods.
This does not mean that all you need to do is invest a moderate, and justifiable, amount in your password system and then forget about it. It is clear that assessing its suitability is an ongoing process. Not only should you take steps to ensure your systems are state of the art, you need to be able to justify your decisions using contemporaneous records.
You would have been able to justify a certain low level of expenditure when you had few subscribers to your email marketing lists as you would not have been seen as much of a target. Now you have moved up, you might be prime material for an attack. However, costs should be a consideration. In other words, you do not have to opt for the gold standard, although your expenditure will be judged taking likely risks into account.
It is clear that being aware of the current types of likely cyber threat to your company is not enough on its own; you must be able to show that you responded to it. If you are unfortunate enough to be the victim of a cyber-attack, you will be asked to prove that your actions were reasonable.
A feature of the GDPR is the requirement of what is called data protection by design. This simply means that all aspects of data processing must take into account the data protection requirements. Your systems should comply with the Information Commissioner’s Office (ICO) recommendations. Your password system, if that’s your main form of protection for the data on your email marketing lists, should not be seen in isolation. Your systems should be integrated to ensure as far as reasonable the data cannot be accessed by any person who is not authorised.
The Information Commissioner’s Office has recently published updated guidance regarding passwords and encryption. It is written in readily accessible language as normal. See: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/security/passwords-in-online-services/