AWS and the GDPR: A state of compliance

GDPR 101:

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). It aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The GDPR came into effect on May 25, 2018. It applies to all organizations that process the personal data of individuals in the EU, regardless of where the organization is located.

This leads to the challenge of today's era, in which on the one side many companies want to use all the utilities of the cloud and process data in massive scale, whereas on the other side strict regulations set legal obstacles in the plans of many companies.

AWS and the GDPR: Compliance and Cloud simultaneously possible?

Amazon Web Services (mostly known as AWS) as the biggest public cloud provider in the market currently is committed to helping customers comply with the GDPR. Though not an easy task, AWS has a number of features and services that can help customers comply with the GDPR, including:

Identity and Access Management (IAM)

IAM allows customers to control who has access to their AWS resources and data. This can help customers to comply with the GDPR's requirements for data security and privacy. IAM includes features such as:

1. Role-based access control (RBAC): RBAC allows customers to define roles that grant specific permissions to users and groups. This can help customers to ensure that only authorized users have access to their data.
2. Multi-factor authentication (MFA): MFA adds an additional layer of security to IAM by requiring users to provide two factors of authentication, such as a password and a code from their mobile phone, before they can access AWS resources.

CloudTrail

CloudTrail records all API calls made to AWS, which can help customers to track and audit their data processing activities. This can help customers to comply with the GDPR's requirements for data transparency and accountability. CloudTrail includes features such as:

1. Data retention: CloudTrail records all API calls for up to 1 year. This allows customers to track their data processing activities for a period of time that is sufficient to comply with the GDPR's requirements.
2. Event filtering: Customers can filter CloudTrail events to focus on specific events, such as events that involve the processing of personal data. This can help customers to make it easier to track and audit their data processing activities.

Security Groups

Security Groups allow customers to control which IP addresses can access their AWS resources. This can help customers to comply with the GDPR's requirements for data security. Security Groups include features such as:

1. IP address whitelisting: Customers can whitelist specific IP addresses that are allowed to access their AWS resources. This can help customers to ensure that only authorized users can access their data.
2. Network access control lists (ACLs): Customers can create ACLs that define which IP addresses can access specific AWS resources. This can help customers to further control access to their data.

Encryption

AWS offers a number of encryption services that can help customers to encrypt their data at rest and in transit. This can help customers to comply with the GDPR's requirements for data security. AWS's encryption services include:

1. Amazon S3 Encryption: Amazon S3 offers a number of encryption options, such as server-side encryption (SSE) and client-side encryption (CSE). SSE encrypts data at rest on Amazon S3's servers, while CSE encrypts data before it is sent to Amazon S3.
2. Amazon EBS Encryption: Amazon EBS offers a number of encryption options, such as SSE and CSE. SSE encrypts data at rest on Amazon EBS's volumes, while CSE encrypts data before it is sent to Amazon EBS.
3. AWS Key Management Service (KMS): AWS KMS is a managed service that provides encryption keys. Customers can use AWS KMS to encrypt their data at rest and in transit.
4. AWS Cloud Hardware Security Module (CloudHSM): AWS CloudHSM is a dedicated physical storage location for encryption keys. This service comes in handy for companies that have very strict compliance rules to abide by. CloudHSM offers the possibility to store your own encryption keys in the AWS cloud and separating them from every possible access besides yourself.

Data Processing Addendum (DPA)

• AWS offers a GDPR-compliant DPA that can help customers to comply with the GDPR's requirements for data processing agreements. The DPA includes terms such as:

1. Data security: The DPA requires AWS to take appropriate technical and organizational measures to ensure the security of the personal data that it processes on behalf of its customers.
2. Data subject rights: The DPA gives data subjects the right to access, rectify, erase, restrict, object to, and port their personal data.
3. Data breach notification: The DPA requires AWS to notify its customers if it experiences a data breach that is likely to result in a high risk to the rights and freedoms of individuals.

AWS GDPR Compliance Services

In addition to these features and services, AWS also offers a number of resources to help customers comply with the GDPR, including:

• GDPR Center: The GDPR Center is a central resource for customers to learn about the GDPR and how to comply with it. The GDPR Center includes a number of resources, such as whitepapers and FAQs sections, that are really customer-friendly.
• AWS Audit Manager: AWS offers the possibility to run compliance checks on your environment and see if you are compliant with a variety of regulations, compliance frameworks or custom company guidelines. In this sense you can choose as your framework the GDPR and then run several checks in order to secure a compliant environment.

Conclusion

Here are some final thoughts on AWS and the GDPR regarding the state of compliance:

• AWS is constantly working to improve its compliance with the GDPR. AWS regularly updates its features and services to ensure that they meet the latest GDPR requirements.
• AWS offers a number of resources to help customers comply with the GDPR. These resources can help customers to understand the GDPR and to implement the necessary measures to comply with it.
• AWS is a trusted partner for many organizations that need to comply with the GDPR. AWS has a proven track record of helping organizations to comply with the GDPR, and AWS is committed to continuing to help organizations to comply with the GDPR in the future.

If you are an organization that needs to comply with the GDPR, AWS can help. AWS offers a number of features, services, and resources that can help you to comply with the GDPR. By using AWS, you can help to ensure that your organization is compliant with the GDPR and that your data is protected.

So don't be afraid of the cloud state of compliance regarding the GDPR. Although challenging, you can harness the full potential of the AWS cloud and still be compliant with the GDPR.

For more insights about AWS Security and Compliance or GDPR-particularities feel free to reach out and discuss about the cutting edge developments of Cloud Compliance in the E.U.

Author: Vasileios Sofroni - Cloud Consultant - 8x AWS certified - Security and Compliance Consultant