GDPR does this need a password

[Shinyandnew2022]

So I work in a job where clients send me lists of employees that I then invite to events and register for access to our software using their email address.

We are told to password protect these lists for GDPR compliance .

Is that correct and necessary ?

Thanks if you can advise

GDPR doesn't specify what steps you need to take - but it does say you need to take reasonable steps to keep personal data secure.

If clients are sending to you, then presumably they are password protecting them before sending to you.

If you are storing them internally then password protection is one way to protect them, but strong network security and protocols would be better. E.g. having a secure folder which only those who need access can view.

Does your company have a data security team or person?

Thanks @LordEmsworth that's useful.
We are quite small so we have an ops person who does legals ( not qualified !) and IT people
We do restrict access to client files to those that need it .

Clients rarely password protect data until we ask them too or we add the password

I find it useful to think of a situation where the data was leaked, held for ransonwear, lost etc and then work backwards

What would you have done differently to protect the data? Password is probadly the minimum. If you are processing large volumes of data then the impact is higher and therefore security should be more stringent.

Does your company hold any cyber security accreditation? The government has schemes for small companies.

if you have an Excel table of names / emails, and then you password protect the spreadsheet, then you also have to remember (a) Excel has crappy security and is easy to hack and (b) someone has to also send the password in a separate email, and (c) anyone who has hacked your email now has both the Excel file and the password.

these days, it is better to use an online sharing system like Teams where you can give specific people permission to access a file and track who has access.

Also, think about what would be revealed if the information was hacked. If the list is just

• [email protected] Jane Smith - IT training -

etc then a person who steals the file has only learnt that Jane Smith works at your company and is doing general IT training, which is not personal or valuable info.

On the other hand, if the list has info about who is at risk of being fired, or who has mental health needs or who is in the LGBT group, or any other sensitive and personal info, then you need to be much more careful with it.

Thanks @parietal this is very clear and useful
I think this is where my question stems from - the data is pretty much just email addresses .
Most clients we now use Teams and it struck me that feel way more secure . Some clients we are stuck with
Email .

Always always always password protect something with members of the publics names on.

Can you reasonably see a situation where someone might attach that document to an email and then send it to the wrong 'Jane' so Jane at Client A gets a list that Jane at Client B should have got instead?

If you can then password protect it.

Thanks @HalfShrunkMoreToGo yes this could theoretically happen so I suppose that makes it a worthwhile step even if not that secure !

Why are you asking on a public forum not your employer…? It’s their responsibility to tell you what to do and you have a responsibility to check and follow all policies.

Doesn't really matter if clients don't password protect it when sending data to you. If it gets intercepted in transit, it's THEIR problem/GDPR breach, not yours. But once it's in your possession, then YOU have to do whatever you think appropriate to protect personal information under the GDPR. You don't have a defence of saying "client didn't password protect it", if there's a data leak/theft from your organisation!