Becoming GDPR compliant with AWS
General Data Protection Regulation is a significant new EU Data Protection Regulation that introduces requirements that will raise and harmonize standards for data protection, security and compliance across EU for now, but looking at the recent disclosure of data by Facebook it´s a rumor that a similar regulation will e introduced to US and other markets in the close future.
GDPR is enforceable May 25th, 2018 and it replaces the existing EU Data Protection Directive. The territorial scope of this new compliance is for organizations established in the EU and organizations without EU presence who target or monitor EU individuals.
GDPR compliance covers both general content and personal data from EU individuals under the following definitions.
General Content = anything that a customer (or any end user) stores, or processes including: Software, Data, Text, Audio and Video. Personal Data = information from which a living individual may be identified or identifiable (under EU data protection law) • Customer’s “content” might include “personal data”
Key new regulations with GDPR
- The Right to Data Portability: Individuals has the right to a copy of all personal data that controllers have regarding him or her. It also must be provided in a way that facilitates reuse.
- The Right to Be Forgotten: This gives individuals the right to have certain personal data deleted so third parties can no longer trace them.
- Privacy by Design: This helps to facilitate the inclusion of policies, guidelines, and work instructions related to data protection in the earliest stages of projects including personal data.
- Data Breach Notification: Controllers must report personal data breaches to the relevant supervisory authority within 72 hours. If there is a high risk to the rights and freedoms of data subjects, they must also notify the data subjects.
Where should I start?
It´s important to understand that Amazon Web Services (AWS) has claimed they are already GDPR compliant so based on the shared model (they are responsibly for the processing layer) these are the tools you have to focus on. Due to the complexity of implementing changes on existing systems and Apps we have break it into 4 different categories and we describe AWS tools that will help you to become GDPR compliant:
1) Data Access control: Multi Factor Auth, API req Auth and temporary Access token.
2) Monitoring Access: CloudTrail ON, Inspector, Macie and AWS config.
3) Data Encryption: Encryption at rest with AES256 and at transit.
4) Compliance framework: Appropriate technical and organizational measures may need to include “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services.” SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70) / SOC 2 / SOC 3 PCI DSS Level 1 ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018 FIPS 140-2 C5
There are other tools that can be found in AWS marketplace that will help you with the process of implementing GDPR and itś also important to have a Consulting or Technology partner on this journey that will speed up the process and also assure the results. Teracloud.io has proven experience helping organizations becoming PCI, HIPPA and right now GDPR compliant. In case you need help do not hesitate to contact us at firstname.lastname@example.org