By Kiril Dubrovsky, Principal Solutions Architect at G2 Tech Group
We’ve covered a lot of the basics of GDPR in previous blogs and have talked a bit about your responsibilities as what GDPR refers to as a controller. GDPR requires that both controllers and processors implement appropriate Technical and Organizational Measures (TOMs) to protect customers and their private data, with a focus on four key TOMs as part of that protection:
- Pseudonymisation and encryption of personal data
- Ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
- Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
- Process for regularly testing, assessing, and evaluating the effectiveness of TOMs
So processors and controllers both clearly have a role in complying with GDPR and ensuring customers’ data is handled responsibly, and as a controller, you need to be able to count on your processor to be holding up their end of the bargain!
Shared Responsibility for GDPR Compliance
Thankfully, AWS is on top of this and ensures that all AWS services are compliant as of May 2018. AWS will be utilizing the Shared Responsibility Model for GDPR compliance, clearly outlining what they are responsible for and what controllers are responsible for. Here is the shortened list breaking down who is responsible for what:
- Legal Compliance (both controllers and processors)
- System Security and Data Protection by Design (both controllers and processors)
- Records of Processing Activities (both controllers and processors)
- Encryption (both controllers and processors)
- Security of Personal Data (controller responsibility)
- Managing Data Subject Consent (controller responsibility)
- Managing Personal Data Deletion (both controllers and processors)
- Managing Personal Data Portability (controller responsibility)
Within this list, AWS has tools to help with system security and data protection by design, records for processing activities, encryption, and managing personal data deletion. More information about these tools can be found here.
The key takeaways, though, are that securing personal data, managing data subject consent and managing personal data portability are solely the responsibility of the controller. For some, this may mean re-architecting your system and installing new procedures to ensure compliance. At G2 Tech Group, we’re very familiar working within systems like these and have a lot of experience rolling them out. It’s not a massive undertaking, but it is something that requires deliberate planning, attention and know-how.
Navigating AWS Services for GDPR Compliance
AWS offers a variety of services, and since they are all GDPR compliant, you are free to use them wherever needed. But we know the sheer number of choices AWS offers can be overwhelming, so here is the breakdown of highlights.
(Insert the normal caveat and disclaimer here: We’re not lawyers. We’re not trying to be lawyers. Don’t take any of this as legal advice. If you have legal questions about GDPR, talk to a lawyer. Need AWS guidance? Read on!)
Protecting the data of your users is of utmost importance, and AWS has you covered with a variety of tools and services that “protect data by design and by default” (that’s the GDPR standard, remember). AWS defaults to AES256 encryption of data at rest when using services like Amazon EBS, S3, Glacier and RDS.
AWS Snowball is the leading way to transport encrypted data quickly and securely, while Amazon API Gateway and VPC configurations ensure security of your internal applications. (Of course we always double check to make sure that VPC are configured to be private). Tools like IAM, AWS Directory Service and SAML Federation ensure sign-ins are secure both for users and in terms of what they can access.
Processing & Security
Security of data processing is essential under GDPR (and just a good idea regardless!), and AWS provides the tools you need to ensure all processing is safe and encrypted. AWS KMS is Amazon’s managed service for the creation and control of encryption keys. AWS CloudHSM is a managed hardware security model for hardware key management to protect any sensitive or regulated workloads. Plus AWS utilized server-side encryption to protect your data when it is at rest, thanks to AES-256 block ciphers.
Processing Records & Logs
WIth GDPR focused on data security, a core component is recording and logging your processing activities. You need to have the ability to ensure compliance with tools like AWS Service Catalog for managing IT services centrally. AWS CloudTrail provides continuous monitoring and logging across your AWS infrastructure. AWS Config is there for auditing and assessing your AWS configurations to ensure every change to your AWS infrastructure is logged, providing comprehensive change management and compliance monitoring.
Additional Compliance Frameworks
Depending on your specific needs as a company, you may have additional compliance frameworks that you need to follow. GDPR states that you may need to include “the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of the processing systems and services.” These frameworks may include:
- SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70) / SOC 2 / SOC 3
- PCI DSS Level 1
- ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
- FIPS 140-2
If your company follows any of these compliance frameworks, you may need to do additional work on top of GDPR.
Need help figuring GDPR, other compliance requirements or data security best practices? Set up an SA On-Demand Session with a G2 Solutions Architect for some free Q&A.