How to handle emails as usernames under GDPR?

IANAL, but GDPR does not make encryption mandatory for personal data. Read this article to understand the complexity around encryption and GDPR better.

In the GDPR encryption is explicitly mentioned as one of the security and personal data protection measures in a few Articles. Although under the GDPR encryption is not mandatory, it is certainly important to see where and why encryption is advised.

...

GDPR encryption: the what you should know part Before doing so let’s be clear: GDPR compliance, as we wrote before is a business strategy challenge and encrypting personal data STRICTLY SPEAKING is not mandatory.

Read more at https://www.i-scoop.eu/gdpr-encryption/

Preferably you do a Privacy Impact Assessment. Afterwards make a decision how you will handle the personal data. If you conclude that encryption of email usernames is a good decision, do it. For example if your web-application is called peoplewhoarechristians.com the usernames would be classified as sensitive data because it creates a relation between the user and their religion. But how sensitive the personal data is will depend by case basis and so will the actions to mitigate the risks. Also the law talks about a "implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk", what appropriate is will differ per case.

Your approach feels good for sensitive personal data. I think it will be overkill for low risk personal data. Still I would document your decision. Email addresses are currently not sensitive data by default. Read this article about the difference between sensitive and non-sensitive.

We could argue that giving an email address as username means that the user gives consent for processing and aware that it could leak in combination with your app-name. But better safe than sorry and therefore I would ask clear consent for the usage. In this example the purpose of personal data collection and processing is authentication and probably access control, but don't forget analytics and things like error logging. If you plan to also use the email for marketing purposes be sure to gather extra consent.

Tags:

Credentials

Anonymity

Web Application

User Names

Gdpr

Related

Is there any security risk when a certificate authority is used more than all others? Received a set of SMS/MMS containing 2 photos, a voice message, and a text "I need help" with Google Maps link from a known contact. Is it spam? Why use usernames and not just email addresses to identify users? What is the difference between "Incident", "Attack" and "event"? Why would I ever use AES-256-CBC if AES-256-GCM is more secure? What are the real physical risks of casual social media publishing? Secure way of masking out sensitive information in screenshots? If I'm PCI-DSS compliant, do I need to worry about GDPR? Why don't browsers block cross-site POSTs by default? Why has Ubuntu 18.04 moved back to insecure Xorg? 4-dial combination padlock: Is it more secure to zero it out or to blindly spin the dials after locking? Why should we care about Adobe Flash?

Recent Posts