AWS Cloud GDPR challenges solved, this webinar (see our youtube channel). We show you exactly which Articles you need to worry about and how to address the data security using automation and top 10 best practices to implement step by step.
2. • Faisal Jawaid
Dir of Product Management
Security & Compliance
• Ahmed Khan
AWS Partner Manager – Strategic Sales
Meet Our Speakers
3. What we will learn today?
• Overview of GDPR
• How to inventory GDPR PII in your AWS & other databases?
• Article 5 Six Principals of GDPR Data Accountability
• Article 32 Security of Processing
• Article 25 Data Privacy by Design and by Default
• Article 28 Third Party Compliance
• Article 44 International Transfers
• TOP 10 AWS BEST PRACTICES for GDPR – Technical Controls
• Cloudnosys Security & Compliance Platform
• Q & A
4. GDPR
Overview of GDPR
1. One Law for privacy across 28 countries - EU 679/2017 (GDPR)
2. GDPR will implement from 25 May 2018
3. Accountability detailed data rights and restrictions on (See
Articles for details) – Data processors and Controllers both!
4. New GDPR framework is complex yet detailed
5. Data Scope: Beyond DOB, NI#, Biometric, Geo Locations, --
User Inferencing data (Identifiers)
6. Breach Notification – 72 Hours
7. The regulation establishes for enforcement: Business
Organization will only have to deal with one single data
protection authority.
8. Privacy by Design – Demonstrate testable controls, Information
Governance.
9. Must have specified, explicit and legitimate purposes to collect
and process data (Article 5)
10. The GDPR applies to all companies worldwide that process
personal data of European Union (EU) citizens.
5. Essentially any information relating to an individual who could be identified based on
one or more identifiers. GDPR online identifiers and combination of online and
unique identifiers
●Article 4 (1), “‘personal data’ means any information relating to an identified or identifiable natural person
(‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an online
identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic,
cultural or social identity of that natural person.”
●Recital – 30 Natural persons may be associated with online identifiers provided by their devices,
applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers
such as radio frequency identification tags. This may leave traces which, in particular when combined with
unique identifiers and other information received by the servers, may be used to create profiles of the
natural persons and identify them.
What is personal data of a Natural Person?
6. ●Leverage AWS Macie
Service to identify PII and
classify your datasets in S3
●For other databases, like
Mongo, MS SQL, Oracle,
RDS etc. Use Dataguise,
Datasunrise, Imperva and
also free open source DB
Scanning tools on GitHub.
Obvious examples of personal data include:
• Full name
• Home address
• Email address (work email addresses are classed as personal data)
• Telephone number
• NI number (National Identity)
• Date of birth
• Driver’s license number
• Vehicle license plate
• Credit card number
• Geo locations
• IP Addresses
• Cookies
• RFID
• Race, Ethnic, Origin, Gender (Article 7-9 Consent)
First Inventory your PII data on AWS – How?
7. The purpose of GDPR is to improve the way personal data is stored and used. It is founded on six
principles of data accountability (Article 5), specifically that personal data shall be:
1. Processed lawfully, fairly and in a transparent manner
2. Collected for specified, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary
4. Accurate and, where necessary, kept up to date
5. Kept in a form which permits identification of Data Subjects for no longer than is necessary
6. Processed in a way that ensures appropriate security of the personal data
The Data Controller is responsible for, and must be able to demonstrate, compliance with these principles.
Also secure against, accidental loss, damage or destruction – Article -5
Article – 5
Six principles of data accountability
8. “the controller and the processor shall implement appropriate technical
and organisational measures to ensure a level of security appropriate
to the risk.”
What does this mean?
Implement a Risk Assessment process – Update Risk Register –
Privacy Impact Assessment (PIA) Article 35 – (Risk of Data Loss,
Breach etc.)
Article 32 – Security of Processing
9. Article 25 of the GDPR codifies both the concepts of privacy by design and privacy by
default. Under this Article a data controller is required to implement appropriate technical
and organisational measures both at the time of determination of the means for
processing and at the time of the processing itself in order to ensure data protection
principles such as data minimisation are met. Any such privacy by design measures may
include, for example, pseudonymisation or other privacy-enhancing technologies.
What this means?
- User does not have to inform you to secure their data (by Default)
- You must implement Encryption, Config Mngt, and IAM controls for the cloud
- (Technical) –AWS Security & Compliance Controls
Article – 25
Data Privacy by Design and by Default
10. What does it mean for cloud providers?
Legal:
● Standard Contractual Clauses for Controller to Processor - Transfers of Personal Data (sample
legal doc @ iapp.org)
● AWS is providing a GDPR BAA agreement now, please review.
Technical:
● Request CIS GDPR specific AWS Cloud scan results every month/quarter based on volume
from your third parties that are on AWS. Have that on your contract!
Article 28 – Third Party Compliance
11. Article 44 of the GDPR prohibits the transfer of personal data beyond EU/EEA,
unless the recipient country can prove it provides adequate data protection.
Descriptions of acceptable proof are detailed in Articles 45 – 49
● Whitelisted Jurisdictions: The European Commission can make a finding that a non-
EU/EEA jurisdiction enforces data protection laws that are essentially equivalent to the
GDPR. Currently, the following jurisdictions enjoy an Adequacy Decision: Andorra,
Argentina, Canada (some provinces), Faeroe Islands, Guernsey, Israel, the Isle of Man,
Jersey, New Zealand, Switzerland, and Uruguay.
● Privacy Shield Framework: The Framework, approved on July 16, 2016, allows U.S.
organizations to self-certify to the U.S. Department of Commerce and then publically commit
to comply with the Framework’s data protection requirements. The public commitment is
enforceable under U.S. law.
Article – 44 International Transfers
12. Summary : A quick checklist for your Cloud
Legal Responsibility and Obligations
Review AWS BAA for GDPR. Also AWS is working on improving Infrastructure services to be more
GDPR compliant by May 2018. Review Privacy Shield Framework –Self certify
Organizational Responsibilities
Assign a Data Protection officer which will govern and benchmark the program.
Technical Responsibility and Obligations
Inventory data, and implement strong controls to maintain data privacy. Pay attention to DLP, Encryption,
and CIS/PCI/HIPAA equivalent controls around AWS configuration monitoring. Audit trail management.
Implement cloud compliance automation to manage these controls and continually monitor in near real time.