Well, GDPR requires analysing and documenting flows of personal data. I can see how an organisation might choose to have a policy of password-protecting when data is transferred, so phrasing aside, it could sorta make sense.

They still need to read Schneier on security of algorithms and processes, though.