Does GDPR explicitly require passwords to be protected?
Although the GDPR does not explicitly state “protect passwords in transit and at rest,” the principles and obligations outlined in the regulation clearly indicate that passwords must be managed securely as part of protecting personal data.
Failure to do so may result in regulatory penalties, particularly if a data breach occurs due to insufficient password security.
This is in line with the purpose of the regulation: it's not a technical standard it's a policy.
Why no explicit mandate?
Because GDPR is built on these principles:
| Principle | Why it matters |
| Technology neutrality | Avoids becoming obsolete. |
| Risk-based approach | Security must match the threat model. |
| Flexibility | Works for startups, enterprises, hospitals, IoT, cloud, etc. |
| Outcome-focused | Protect the data, not follow a checklist. |
NIS2 is much more prescriptive than GDP