Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Amazon Web Services Reports That All GA Services Are Now GDPR Ready

Amazon Web Services Reports That All GA Services Are Now GDPR Ready

This item in japanese

On May 25th, 2018, the European Union’s General Data Protection Regulation (GDPR) comes into effect. Amazon Web Services recently announced that all of its generally available services now comply with the GDPR regulation.

GDPR is the largest overhaul of data privacy regulations in the past 20 years, affecting not only organisations with operations in the European Union, but any organisation that handles EU citizen's data, regardless of the organisation's location.

Getting AWS services to become GDPR-ready is a task that requires multiple approaches. Security of personal data forms the basis of GDPR compliance; AWS has implemented and certified its services against a series of international standards. Examples of the standards AWS has certified its services against include: ISO 27017 for cloud security, ISO 27018 for cloud privacy, ISO 27001 for technical measures, Service Organisation Control 1/2/3 and EU specific certifications like BSI’s Common Cloud Computing Controls Catalogue (C5).

AWS also provides a set of services which can help with the security aspect of GDPR implementation. Amazon GuardDuty can help with threat detection and continuous monitoring, such as unusual API calls or potentially unauthorised deployments that indicate a possible account compromise. Amazon Macie is a machine learning-based service that can help discover inappropriately stored Personally Identifiable Information (PII) and IP-related information on AWS's S3 object storage platform. Amazon Inspector can also automatically assess the security of AWS-based applications. Finally, AWS Config Rules can monitor cloud resources for security compliance.

AWS has also published a seventeen page document with information on Navigating GDPR compliance on AWS and a portal with GDPR information. AWS also offers a GDPR compliant Data Processing Addendum (DPA) enabling customers to comply with DPA regulations. AWS is conforming to the CISPE Code of Conduct as part of the GDPR requirements. Amazon offers a two-day GDPR workshop and will feature GDPR presentations during the upcoming AWS Summits in European countries, as well as in San Francisco and Tokyo.

As noted above, GDPR has an extra-territorial applicability, meaning that it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not. It also applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU if the activities relate to goods or services offered to EU citizens. Interested readers may also want to read more about a related piece of new United States legislation, the CLOUD Act, which clarifies how and when the U.S. and other foreign countries can gain access to data stored in cloud servers in each other’s legal jurisdictions.

Another key aspect of GDPR is that data capture and processing consent must be clear and easy to read and understand. The purpose of data processing must be attached to the consent and it must be as easy to withdraw consent as it is to grant it.

EU customers have several rights under the new GDPR regulation, including the Right to be Forgotten, Right of Access, Right of Data Portability and Privacy by Design and by Default. Companies worldwide processing EU customer data have the obligation to report data breaches within 72 hours of first being aware of the breach. They also need to appoint a Data Protection Officer (DPO).

Violators of the GDPR can be fined by up to 20 million Euros or 4% of the annual turnover, whichever is greater, meaning that non compliance can be very costly.

Rate this Article