The protection of personal data is a fundamental right that requires adequate measures to ensure its security. One of one of these measures is the use of cryptographic systems to encrypt sensitive. Currently, two billion people use encryption every day to protect their communications (European Digital Rights 2023). In this regard, the General Data Protection Regulation mentions encryption as a measure that is part of the conditions for the compliance of the processing and as an aid to mitigate the risks of a possible personal data breach.
Following the publication of the Guidelines for the validation of cryptographic systems in data protection, published jointly with ISMS Forum and APEP in May 2023, and due to the good reception it has received both nationally and internationally, the ValidaCripto RGPD web tool transfers, in an agile and intuitive way, the evaluation methodology of the encryption system through each of the elements involved in the encryption process and its adequacy to the context of the processing of personal data.
The web tool is free and runs locally in the browser, browser, without collecting or transmitting any data to the AEPD. It has a help section where its operation is explained step by step, from the selection of the impact of the encryption system in the processing, the categorization of the most critical elements, the review of the suggested controls and the generation of a follow-up documentation. Its objective is to offer a quick and efficient solution to verify the suitability of cryptographic systems implemented in personal data processing, selecting from the list of proposed controls those that could be the most appropriate. The data can be stored and uploaded to a local file, under the full control of the user, and reports can be generated.
This tool, like the Guidelines for the validation of cryptographic systems in data protection, is aimed at data controllers and processors/deputy processors to whom the RGPD applies, who apply cryptography in their processing of personal data. Therefore, it is also aimed at data protection officers, personal data protection advisors, data protection auditors, security specialists, and functional managers of the responsible or responsible entities. This guide is also recommended for developers of encryption solutions that are intended for the processing of personal data and in general, to developers of ICT system products and services.