The widespread adoption of information and communication technologies has elevated encryption to a critical role in safeguarding data security. Properly implemented cryptographic mechanisms are essential for protecting personal data during automated processing, ensuring confidentiality, integrity, and authenticity. The effectiveness of an encryption system is determined by its overall performance as a cohesive system, not just by the strength of its individual components. To provide adequate protection, encryption systems must be efficient and effective for each specific processing context while remaining operationally sound. The General Data Protection Regulation (GDPR) specifically highlights encryption as a key measure for mitigating security risks associated with personal data protection.
For encryption to be truly effective in any processing operation, data controllers or processors must thoroughly evaluate all aspects of the encryption process, beyond merely selecting an algorithm or implementation. It is crucial to establish the requirements that the encryption system must meet in the context of personal data processing and validate that these requirements are consistently fulfilled. Additionally, continuous monitoring is necessary to ensure ongoing compliance. It’s important to consider that the protection of personal data extends over its entire lifecycle, which can last as long as the data subject’s lifetime. Therefore, any encryption strategy must account for technological changes over time. While encryption serves as a valuable tool for pseudonymisation, it does not equate to anonymisation.
This document outlines the recommended elements to assess when designing and validating an encryption system for processing personal data. It emphasizes the significance of such systems in safeguarding confidentiality and suggests a non-exhaustive list of controls. These guidelines aim to assist GDPR controllers, processors, Chief Information Security Officers (CISOs), Data Protection Officers (DPOs), data protection advisors, and internal and external auditors in selecting, validating, and monitoring encryption systems for specific processing operations. This endeavor aligns with the principles of data protection by design and accountability.
The document was developed by the Agencia Española de Protección de Datos (Spanish Data Protection Agency) in collaboration with the Asociación Profesional Española de Privacidad (APEP) and the Asociación Española para el Fomento de la Seguridad de la Información (ISMS Forum). It was reviewed by experts including Carlos Bachmaier, DPO of Sociedad Estatal; María Isabel González Vasco, a professor at the Universidad Rey Juan Carlos; and Isabel Barberá, a Privacy Engineer at Rhite. Their collective expertise has helped shape comprehensive guidelines for effectively integrating encryption into data protection strategies.
