The European Union’s General Data Protection Regulation (GDPR) protects European Union citizens’ fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance. Come learn how to work with AWS to build your security and data protection strategy, and how to transform the way your organisation processes data. In this session, we will examine GDPR as the baseline for data protection, with the belief that organisations should aim higher. The cloud makes this a realistic goal.
3. What is the GDPR?
• The "GDPR" is the General Data Protection Regulation, a significant, new
EU Data Protection Regulation
• Introduces robust requirements that will raise and harmonize standards for
data protection, security, and compliance across the EU
• The GDPR is enforceable 25 May 2018, and it replaces the EU Data
Protection Directive (Directive 95/46/EC)
• Territorial scope: Organisations established in the EU and those without an
EU presence who target or monitor EU individuals
4. Content vs. Personal Data
Content
= anything that a customer
(or any end user) stores or
processes using AWS
services, including:
Software ǀ Data ǀ Text ǀ Audio ǀ Video
Personal Data
= information from which a
living individual may be
identified or identifiable
(under EU data protection
law)
• Customer’s “content” might
include “personal data”
5. What Else Comes With GDPR?
Individuals have the right to a copy of all of the personal
data that controllers have regarding him or herself. It also
must be provided in a way that facilitates reuse.
6. What Else Comes With GDPR?
This gives individuals the right to have certain personal
data deleted so third parties can no longer trace them.
7. This helps to facilitate the inclusion of policies, guidelines,
and work instructions related to data protection in the
earliest stages of projects, including personal data.
What Else Comes With GDPR?
8. Controllers must report personal data breaches to the
relevant supervisory authority within 72 hours. If there is a
high risk to the rights and freedoms of data subjects, they
must also notify the data subjects.
What Else Comes With GDPR?
9. How AWS can help customers
achieve GDPR compliance?
11. Bringing it all together
Data Subjects Customers are
Controllers
AWS as
Processor
Controllers and Processors have
obligations under GDPR
12. Data Subjects
Customer as
Processor
AWS as Processor
Controllers and Processors have
obligations under GDPR
Customer’s customer
as Controller
Bringing it all together
13. Transferring Content
Region and number
of availability zones
New region
(coming soon)
Customers decide where their data will be stored
Customers may choose to transfer content that
includes personal data
From EEA to a country outside the EEA: Data Processing
Addendum includes the Standard Contractual Clauses/Model
Clauses
From EU to US: EU-US Privacy Shield Framework
14. Under GDPR, controllers and processors are required to implement appropriate technical
and organisational measures (TOMs) …
(1) Pseudonymisation and
encryption of personal data
(2) Ensure ongoing confidentiality,
integrity, availability, and resilience
of processing systems and
services
(3) Ability to restore availability and
access to personal data in a timely
manner in the event of a physical
or technical incident
(4) Process for regularly testing,
assessing, and evaluating the
effectiveness of TOMs
GDPR in Practice: Implementing TOMs
15. What AWS provides
Tools and Services
Compliance Framework
Partner Network
§§ Data Protection Terms§§
16. AWS Foundation Services
Compute Storage Database Networking
AWS Global
Infrastructure Regions
Availability Zones
Edge Locations
Client-side Data
Encryption
Server-side Data
Encryption
Network Traffic
Protection
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content
Customers
AWS Shared Responsibility Model
Customers are
responsible for
their security and
compliance IN
the cloud
AWS is
responsible for
the security OF
the cloud
17. GDPR is also a “shared responsibility”
Legal Compliance
(both controllers and processors)
System Security and Data Protection by Design
(both controllers and processors; AWS has tooling to help)
Records of Processing Activities
(both controllers and processors; AWS has tooling to help)
Encryption
(both controllers and processors; AWS has have tooling to help)
Security of Personal Data
(controller responsibility)
Managing Data SubjectConsent
(controller responsibility)
Managing Personal Data Deletion
(both controllers and processors; AWS has tooling to help)
Managing Personal Data Portability
(controller responsibility)
19. The controller “shall implement appropriate technical and
organisational measures for ensuring that, by default, only
personal data which are necessary for each specific purpose of
the processing are processed.”
Multi-factor authentication
API-Request Authentication
Temporary Access Tokens
GDPR Compliance Tools
21. GDPR Compliance Tools
“Each controller and, where applicable, the
controller’s representative, shall maintain a record of
processing activities under its responsibility.”
CloudTrail
Amazon Inspector
Macie
AWS Config
24. GDPR Compliance Tools
Organisations must “implement appropriate technical and organisational
measures to ensure a level of security appropriate to the risk, including the
pseudonymisation and encryption of personal data.”
Encryption of your data at rest with AES256 (EBS/S3/Amazon Glacier/RDS)
Centralised (by Region) with Key Management (AWS KMS)
IPsec tunnels into AWS with the VPN-Gateways
Dedicated HSM modules in the cloud with CloudHSM
26. GDPR Compliance Tools
Appropriate technical and organisational measures may need to
include “the ability to ensure the ongoing confidentiality, integrity,
availability, and resilience of the processing systems and services.”
SOC 1 / SSAE 16 / ISAE 3402 (formerly SAS 70) / SOC 2 / SOC 3
PCI DSS Level 1
ISO 9001 / ISO 27001 / ISO 27017 / ISO 27018
FIPS 140-2
C5
27. AWS Foundation Services
AWS Global
Infrastructure
Your own
accreditation
Meet your own security objectives
Your own
certifications
Your own
external audits
Customer scope
and effort is
reduced
Better results
through focused
efforts
Built on AWS
consistent
baseline controls
Customers
GDPR
Code of
Conduct
28. GDPR – Code of Conduct
CISPE Code (Cloud Infrastructure Service Providers in Europe)
The CISPE Code of Conduct:
• An effective, easily accessed framework for complying with the
EU’s GDPR
• Excludes the re-use of customer data
• Enables data storage and processing exclusively within the EU
• Identifies cloud infrastructure services suitable for different types of data
processing
• Helps citizens to retain control of their personal and sensitive data
• AWS CISPE certified
• CISPE Code of Conduct in evaluation by Article 29 WP
30. AWS Partner Network (APN) & the GDPR
Consulting Partners
APN consulting partners can help your
customers get ready for GDPR.
Technology Partners
APN technology partners offer security
& identity solutions to help with GDPR.
/
Let’s take some time to go over some of the basics of the General Data Protection Regulation.
1. Applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.
2. Applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
3. Applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
Content [CLICK]
<<read contents of the box>>
For example, a customer’s “content” includes objects that the customer stores using S3, files sorted on EBS or the contents of an Amazon DynamoDB table.
Personal Data [CLICK]
<<read contents of the box>>
“Personal data” includes names, email addresses, social security numbers, payroll ID numbers, etc. There’s also a recent line of cases in Europe that have determined that, in some cases, IP addresses can be “personal data”.
The Right to data portability
The GDPR creates a new right for individuals to have more control over their own personal data. In practice this means that controllers have to have the ability to provide the data subject with a copy of all the personal data that they have regarding him or her; and the ability to transfer the data to another data controller or service provider. It’s important to ensure the portability of all personal data that the individual has provided actively and knowingly. This includes information the individual has provided to you by using the service or device, such as location data or their heartbeat from a fitness tracker. This could therefore be a large collection of data. Furthermore, the data must be provided in a way that facilitates reuse. An example of this would be an email being provided in a format that preserves all the meta-data to allow effective reuse.
The right to be forgotten
The right to be forgotten gives individuals the right to have certain personal data deleted so that third parties can no longer trace them. In practice, this means that such personal data needs to be deleted entirely from the controller’s system and, if the controller has made the information public,such as on the internet, then the controller has to ensure that all links to the information has been erased.
Privacy by design
The concepts of privacy by design and privacy by default help to promote compliance with data protection laws and regulations from the earliest stages of projects involving personal data. Clear policies, guidelines, and work instructions related to data protection should be developed and the input of a privacy specialist should be sought to assist with applying these requirements. Development methods that are used within the organization, such as agile or waterfall methodologies, must be taken into account in order to apply the concepts throughout the entire development process. This will enable the development teams to take appropriate measures in the relevant phases. Finally, when a design has been completed, it must be adopted by the organization and monitored throughout its lifetime.
Data breach notification
If security measures are breached and personal data is unlawfully processed, the controller must report such a breach to the supervisory authority within 72 hours. Also, if there is a high risk to the rights and freedoms of data subjects or other individuals, the controller must also notify the data subjects.
Let’s take some time to go over some of the basics of the General Data Protection Regulation.
The Right to data portability
The GDPR creates a new right for individuals to have more control over their own personal data. In practice this means that controllers have to have the ability to provide the data subject with a copy of all the personal data that they have regarding him or her; and the ability to transfer the data to another data controller or service provider. It’s important to ensure the portability of all personal data that the individual has provided actively and knowingly. This includes information the individual has provided to you by using the service or device, such as location data or their heartbeat from a fitness tracker. This could therefore be a large collection of data. Furthermore, the data must be provided in a way that facilitates reuse. An example of this would be an email being provided in a format that preserves all the meta-data to allow effective reuse.
Customers decide where their content will be stored.
The AWS infrastructure is built around Regions and Availability Zones. A Region is a location in which there are multiple Availability Zones. Availability Zones consist of one or more discrete data centres. AWS currently has three Regions in the EU—Ireland (Dublin), UK (London) and Germany (Frankfurt)
This set-up allows customers with specific geographic requirements to establish environments in a location of their choice. For example, AWS customers in Europe can choose to deploy their AWS services exclusively in the Germany region.
[CLICK]
Customers may choose to transfer content that includes personal data cross border. AWS offers customers a data processing addendum that includes the Standard Contractual Clauses/Model Clauses that would apply where a customer transfers data containing personal data from the EEA to a country outside the EEA.
The EU data protection authority, known as the Article 29 Working Party, has approved the AWS Data Processing Addendum and Model Clauses. This approval means that customers who require the Model Clauses can rely on the AWS DPA as providing sufficient contractual commitments to enable international data flows in compliance with the EU data protection Directive.
In addition to the AWS DPA and the Model Clauses, customers who wish to transfer content that includes personal data from an EU Region to a US region benefit from AWS’ participation in the EU-US Privacy Shield Framework.
Let’s take some time to go over some of the basics of the General Data Protection Regulation.
We look after the security OF the cloud, and you look after your security IN the cloud.
To protect your application, AWS invests in a broad portfolio of security, identity, and management tools to help ensure your applications are secure and operate in a compliant manner.
--NETWORKING--
Amazon VPC: Amazon Virtual Private Cloud (Amazon VPC) lets you provision a logically isolated section of the Amazon Web Services (AWS) cloud where you can launch AWS resources in a virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address range, creation of subnets, and configuration of route tables and network gateways. With Amazon VPC, you can make the Amazon cloud a seamless extension of your existing on-premises resources.
AWS WAF: AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. AWS WAF gives you control over which traffic to allow or block to your web applications by defining customizable web security rules. You can use AWS WAF to create custom rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that are designed for your specific application. New rules can be deployed within minutes, letting you respond quickly to changing traffic patterns. Also, AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of web security rules.
--ENCRYPTION—
AWS KMS: AWS Key Management Service (KMS) is a managed service that makes it easy for you to create and control the encryption keys used to encrypt your data, and uses Hardware Security Modules (HSMs) to protect the security of your keys. AWS Key Management Service is integrated with several other AWS services to help you protect your data you store with these services. AWS Key Management Service is also integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
AWS CloudHSM: The AWS CloudHSM service helps you meet corporate, contractual and regulatory compliance requirements for data security by using dedicated Hardware Security Module (HSM) appliances within the AWS cloud. With CloudHSM, you control the encryption keys and cryptographic operations performed by the HSM.
Server-side Encryption: AWS allows data to be encrypted with AWS service managed keys, AWS managed keys via AWS KMS, or customer managed keys. We also make the AWS Encryption SDK freely available to help developers correctly generate and use encryption keys, as well as protect the key after it has been used.
--IDENTITY--
AWS IAM: AWS Identity and Access Management (IAM) enables you to securely control access to AWS services and resources for your users. Using IAM, you can create and manage AWS users and groups, and use permissions to allow and deny their access to AWS resources.
AWS Directory Service: AWS Directory Service makes it easy to setup and run Microsoft Active Directory (AD) in the AWS cloud, or connect your AWS resources with an existing on-premises Microsoft Active Directory. Once your directory is created, you can use it to manage users and groups, provide single sign-on to applications and services, create and apply group policy, domain join Amazon EC2 instances, as well as simplify the deployment and management of cloud-based Linux and Microsoft Windows workloads.
SAML Federation: AWS IAM supports SAML 2.0 to allow identity integration with most major identity management solutions. [http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml_3rd-party.html]
--COMPLIANCE—
AWS Service Catalog: AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS. These IT services can include everything from virtual machine images, servers, software, and databases to complete multi-tier application architectures. AWS Service Catalog allows you to centrally manage commonly deployed IT services, and helps you achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need.
AWS CloudTrail: AWS CloudTrail is a web service that records AWS API calls for your account and delivers log files to you. The recorded information includes the identity of the API caller, the time of the API call, the source IP address of the API caller, the request parameters, and the response elements returned by the AWS service. With CloudTrail, you can get a history of AWS API calls for your account, including API calls made via the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services (such as AWS CloudFormation). The AWS API call history produced by CloudTrail enables security analysis, resource change tracking, and compliance auditing.
AWS Config: AWS Config is a fully managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and governance. Config Rules enables you to create rules that automatically check the configuration of AWS resources recorded by AWS Config. With AWS Config, you can discover existing and deleted AWS resources, determine your overall compliance against rules, and dive into configuration details of a resource at any point in time. These capabilities enable compliance auditing, security analysis, resource change tracking, and troubleshooting.
Segway to talk about FedRAMP potentially and share your experiences from around the world!
As Esther mentioned, GDPR encourages industries to develop codes of conduct to help enable the Controller to demonstrate their compliance.
The CISPE code is one such code of conduct
Data Collection: Have you taken into account the definition of “personal data” to determine what your organization is collecting? From where? & What mechanisms are used?
Access Controls: Can you identify who has access to personal data?
Data Storage/Retention: Can you inform on where personal data is stored?
Data Rights: Do you support means for customers to control access to their data?
Breach Notification: Is your organization currently supporting a breach notification program and does it meet/exceed the GDPR timelines?
Data Transfer: Do you use transfer mechanisms to process personal data?