Amazon Web Services Reports That All GA Services Are Now GDPR Ready

| by Alex Giamas Follow 10 Followers on Apr 03, 2018. Estimated reading time: 2 minutes |

On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) comes into effect. Amazon Web Services recently announced that all of its generally available services now comply with the GDPR regulation.

GDPR is the largest overhaul of data privacy regulations in the past 20 years, affecting not only organisations with operations in the European Union, but any organisation that handles EU citizen's data, regardless of the organisation's location.

Getting AWS services to become GDPR-ready is a task that requires multiple approaches. Security of personal data forms the basis of GDPR compliance; AWS has implemented and certified its services against a series of international standards. Examples of the standards AWS has certified its services against include: ISO 27017 for cloud security, ISO 27018 for cloud privacy, ISO 27001 for technical measures, Service Organisation Control 1/2/3 and EU specific certifications like BSI’s Common Cloud Computing Controls Catalogue (C5).

AWS also provides a set of services which can help with the security aspect of GDPR implementation. Amazon GuardDuty can help with threat detection and continuous monitoring, such as unusual API calls or potentially unauthorised deployments that indicate a possible account compromise. Amazon Macie is a machine learning-based service that can help discover inappropriately stored Personally Identifiable Information (PII) and IP-related information on AWS's S3 object storage platform. Amazon Inspector can also automatically assess the security of AWS-based applications. Finally, AWS Config Rules can monitor cloud resources for security compliance.

AWS has also published a seventeen page document with information on Navigating GDPR compliance on AWS and a portal with GDPR information. AWS also offers a GDPR compliant Data Processing Addendum (DPA) enabling customers to comply with DPA regulations. AWS is conforming to the CISPE Code of Conduct as part of the GDPR requirements. Amazon offers a two-day GDPR workshop and will feature GDPR presentations during the upcoming AWS Summits in European countries, as well as in San Francisco and Tokyo.

As noted above, GDPR has an extra-territorial applicability, meaning that it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. It also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU if the activities relate to goods or services offered to EU citizens. Interested readers may also want to read more about a related piece of new United States legislation, the CLOUD Act, which clarifies how and when the U.S. and other foreign countries can gain access to data stored in cloud servers in each other’s legal jurisdictions.

Another key aspect of GDPR is that data capture and processing consent must be clear and easy to read and understand. The purpose of data processing must be attached to the consent and it must be as easy to withdraw consent as it is to grant it.

EU customers have several rights under the new GDPR regulation, including the Right to be Forgotten, Right of Access, Right of Data Portability and Privacy by Design and by Default. Companies worldwide processing EU customer data have the obligation to report data breaches within 72 hours of first being aware of the breach. They also need to appoint a Data Protection Officer (DPO).

Violators of the GDPR can be fined by up to 20 million Euros or 4% of the annual turnover, whichever is greater, meaning that non compliance can be very costly.

Rate this Article

Adoption Stage

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread


Login to InfoQ to interact with what matters most to you.

Recover your password...


Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.


More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.


Stay up-to-date

Set up your notifications and don't miss out on content that matters to you