Data Protection Hero: I have not written my password on a yellow sticky note today
Writing a password on a sticky note and attaching it to your monitor is, statistically speaking, one of the most reliably bad ways to protect access to personal data. It is visible to colleagues, cleaners, visitors, and anyone else who passes within reading distance of your desk. Under GDPR Article 32, companies must implement appropriate technical and organisational measures to ensure the security of personal data - and a password displayed in plain sight on office furniture is not that.
Why it matters more than you think #
A password written on a sticky note is not a minor lapse. It is a physical security failure that directly undermines whatever technical access controls your company has put in place. Your login credentials grant access to the systems, data, and records your role requires - and in many cases, that includes personal data belonging to colleagues, customers, or service users. A visitor who glances at your screen during a meeting does not need to be a sophisticated attacker. They just need to be able to read.
Data protection authorities across Europe have taken enforcement action in cases where poor credential management contributed to a personal data breach. The GDPR treats access control as an organisational responsibility, not just an individual one - but individuals who write passwords in plain sight make that responsibility significantly harder to meet.
Also, remember this applies to passwords you use privately, on your home devices, and those of your family. The scenario is exactly the same but the consequence if something goes wrong could be devastating for you personally and/or family members. Remember to educate your family too.
The practical fix #
The reason people write passwords on sticky notes is almost always the same: the password is too complex to remember, and there is no better system in place. The solution is not to simplify the password - it is to remove the need to remember it at all. A password manager stores credentials securely and fills them in automatically, eliminating the sticky note problem entirely.
For companies, the more durable fix is to provide a password manager as standard, enforce complexity requirements through identity management systems, and pair both with multi-factor authentication (MFA). MFA means that even if a password is seen by someone who should not have seen it, it is not sufficient on its own to gain access. That is the kind of layered control that Article 32 is designed to encourage.
Frequently Asked Questions #
Is writing a password on a sticky note a GDPR violation? Not in isolation - GDPR applies to companies, not to individual acts. But if a personal data breach occurs because credentials were written in plain sight and used by an unauthorised person, the company would need to demonstrate that it had appropriate measures in place to prevent that. A culture of sticky-note passwords makes that very difficult to demonstrate.
Why do people still do this if it is so obviously a problem? Because the alternative - remembering a long, complex, unique password - is genuinely difficult, and organisations often fail to provide a better solution. Criticising employees for sticky notes without providing a password manager is an organisational failure dressed up as a behavioural one.
What should I use instead of a sticky note? A password manager generates strong passwords automatically, and fills them in without you needing to type or remember them. If your company does not provide one, it is worth raising with whoever manages your IT or data protection programme.
#DataProtectionHero
