Knowit’s ADAM Guide to GDPR Compliance on AWS

By Hans Darenberg, Senior Advisor Information & Cloud Security – Knowit Cybersecurity & Law
By Shankar Subramaniam, Sr. Enterprise Architect – AWS

In today’s digital landscape, maintaining GDPR compliance in cloud environments like Amazon Web Services (AWS) is not just a regulatory requirement – it is a business imperative. Non-compliance with GDPR exposes organizations of any size to significant financial penalties and reputational damage.

Based on Knowit Cybersecurity & Law’s comprehensive guide, Vägledning ADAM – Analys av dataskydd i AWS molnmiljö this post provides practical insights into demonstrating GDPR compliance in AWS environments. We’ll walk you through essential strategies for managing compliance obligations and how to leverage specific features and services provided by AWS to help customers to try to meet requirements of the GDPR.

The Rights of Data Subjects

GDPR places a strong emphasis on the rights of individuals (data subjects). Right to access personal data – this includes right to request data deletion (“right to be forgotten”) and right to data portability.

Data Controller in the AWS Environment

Under GDPR, the data controller plays an important role in determining the purposes and means of processing personal data. When using AWS, the organization handling the data (the customer) acts as the data controller. As the data controller, your responsibilities include:

• Defining the purpose of data processing.
• Ensuring the lawful collection and use of personal data.
• Protecting the rights of data subjects.

Being the data controller means that while AWS provides the infrastructure, it is up to you as the data controller to ensure that personal data is processed in compliance with GDPR.

The Role of the Data Processor

If your organization uses AWS to process data on behalf of another entity, you act as a data processor. As a data processor, you must follow the instructions of the data controller and implement proper security measures to safeguard the data. In this role, you should:

• Ensure adherence to the data controller’s guidelines.
• Follow GDPR requirements related to data security and confidentiality.
• Audit and monitor data processing activities.

The data processor maintains the integrity of the data and preventing unauthorized access. You must implement technical and organizational measures to ensure the security of personal data, including protecting against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access.

AWS as a Sub-Processor

AWS provides the technical infrastructure for data processing. While AWS is essential for securing data, its role does not extend to regulating data use. AWS’s key responsibilities in this role include:

• Ensuring the security of the underlying cloud infrastructure.
• Providing certifications (or other evidence) to demonstrate compliance.
• Providing encryption services to protect the confidentiality and integrity of data at rest and in transit.

As a data controller or processor, you ensure that AWS’s shared responsibility model (SRM) aligns with your internal data protection policies. AWS customers are responsible for choosing suitable services and configuring them appropriately.

Models used to access compliance to GDPR

In the ADAM guide we describe and discuss three models for assessing data protection responsibilities and demonstrating GDPR compliance within AWS Cloud environments:

• Data Responsibility Model: Based on guidelines from the European Data Protection Board (EDPB), this model helps determine whether an organization is a data controller or processor by assessing specific circumstances surrounding data processing activities.
• Duty of Care Model: This model outlines the obligations of data controllers under GDPR Article 28, focusing on selecting processors with adequate technical and organizational measures.
• Third-Country Transfer Assessment Model: Based on EDPB recommendations, this model assesses the legality of transferring personal data outside the EU/EEA.

These models provide structured guidance for service providers to navigate GDPR obligations when using AWS, focusing on shared responsibilities. Additional models may be needed because other GDPR aspects could apply to your organization. One of the major findings working with GDPR compliance is that organizations need to form cross-functional teams to address GDPR compliance.

Shared Responsibility Model

In the AWS shared responsibility model (SRM), AWS handles infrastructure security, while customers are accountable for securing their data, configuring access, and managing encryption. To learn more about the SRM, and the separation of responsibility for each GDPR role, explore the ADAM guide.

Customers must implement technical and organizational measures in line with GDPR to protect personal data in the AWS environment. Data security is a shared responsibility; customers must maintain their own security and compliance practices alongside AWS’s services.

Encryption: The Key to Data Security

AWS provides robust encryption services to assist organizations in safeguarding their data both at rest and in transit, as well as in use when applicable.

• Encryption at Rest: using services such as AWS Key Management Service and AWS CloudHSM. The guide also discusses using envelope encryption for added security, where data encryption keys (DEKs) are encrypted with a master key.
• Encryption in Transit: using AWS Certificate Manager (ACM).
• Encryption in use: using AWS Nitro System. This system has independent affirmation of its confidential compute capabilities.

The guide provides a full section and an additional dedicated Appendix on this important topic.

Monitoring and Logging for Compliance

AWS provides AWS CloudTrail and AWS Config services to monitor your account activity, track resource configurations, and help ensure GDPR compliance through continuous logging and security monitoring.

These tools provide organizations with evidence proving that the customer data is only used as configured by the AWS customer.

Managing Cross-Border Data Transfers

GDPR places strict rules on transferring personal data outside the EU/EEA. Managing cross-border data transfers is essential for GDPR compliance, especially when using global cloud services. Knowit recommends building environments that avoid third-country transfers all together as a default, unless there is a specific need and there is a legal ground to do so.

Knowit’s structured approach

To systematically assess and document GDPR compliance for AWS services, we recommend following this seven-step framework in Figure 1.

Figure 1 – Knowit’s structured approach.

1. Identify and classify the personal data that will be used in the service.
2. Define the roles and requirements on the service from a GDPR perspective using the legal models mentioned above.
3. Perform a risk & vulnerability assessment to complement the models (including review of service terms associated with each AWS service).
4. Assess what security controls and measures are needed to support the legal models.
5. Document the arguments of compliance; Legal, Security and technical.
6. Assess if the security controls and other measures to support the legal model are enough or if additional controls or evidence are needed.
7. Decide if the configured measures are appropriate with regard to the risks, and thus if the service is suitable to handle the intended personal data.

While this framework simplifies a complex process, it provides a comprehensive approach that addresses legal, security, and technical aspects of GDPR compliance. It also helps clarify responsibilities across the delivery chain, ensuring all stakeholders understand their roles in maintaining compliance.

Conclusion

This blog post highlights key ADAM guide strategies for data security and GDPR compliance motivation. We also showcased our seven-step structured approach towards systematically assessing and documenting GDPR compliance for AWS services. Knowit recommends building a comprehensive compliance strategy that balances legal requirements, technical controls, and organizational processes. With deep experience in securing AWS Cloud environments, Knowit Cybersecurity and Law assist you in every step of your compliance journey.
.

.

Knowit – AWS Partner Spotlight

AWS Premier Partner Knowit has deep knowledge of laws and standards relevant to the Nordic market and has assisted many clients in the private and public sectors to make well-informed decisions related to compliance and security.

Contact Knowit | Partner Overview