Spain: Adopted Data Protection Authority Guidelines on Cryptographic Systems Validation

On 9 May 2023, the Spanish Data Protection Authority (AEPD) issued guidelines on the use of cryptographic systems in data protection in collaboration with the Association for the Promotion of Information Security (ISMS Forum) and the Professional Association for Privacy (APEP). The guidelines are addressed to data controllers, processors, security specialists, advisers and auditors. The purpose of encryption is to make data unidentifiable to others without a key and support data protection efforts. The guidelines provide further clarifications with respect to the General Data Protection Regulation (GDPR), which states that encryption can significantly reduce the risk of data breaches. The guidelines note that encryption is effective if other security measures are implemented, considering individuals' rights. The guidelines specify that the encryption design must be carefully examined and evaluated when used to keep data confidential. The guidelines outline the main factors organisations must consider when applying encryption measures, including key management, the storage of encrypted messages, communication requirements, controller obligations and documentation requirements.