GDPR - or General Data Protection Regulation - is a regulatory framework enacted by the European Union in 2016 that governs data protection and privacy for European Union/European Economic Area residents. In practice, GDPR has far-reaching implications beyond Europe, as GDPR applies not only to EU/EEA
GDPR extends data protection beyond what current laws in the United States and non-EU/EEA countries specify. A few examples:
- Data subjects have the right to a copy of their data, and to have it erased in many cases
- Personal data can only be processed with the consent of data subjects - and consent can be revoked at any time
- Data breaches must be reported within 72 hours
The consequences for violating GDPR provisions are severe - up to the greater of 4% of worldwide revenue or €20 million.
GDPR and the Cloud
Of the 11 chapters in the GDPR regulations, Chapter 4: Controller and Processor, includes articles that impact IT and security teams working with public cloud environments that manage and process user data. For example:
- Article 25 - Data protection by design and by default - specifies that “measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”. AWS IAM and Azure Active Directory permissions and policies help ensure that the scope of data access
arelimited - such as specifying granular access to objects in AWS S3 buckets or Azure storage Blobs.
- Article 30 - Records of processing activities - specifies that data processors should retain records on data processing. Enabling API monitoring via AWS CloudTrail or Azure Monitor with logs sent to S3 buckets/storage Blobs helps organizations fulfill this requirement.
- Article 32 - Security of process - specifies that personal data should be encrypted. IT and Security teams can take measures to encrypt
data at-restand in-transit - as an example for AWS S3 buckets and RDS instances, Azure storage Blobs and SQL databases, or Google Cloud compute instance disks.
Enforce Baselines with Codeless Auto-Remediation
Fugue utilizes baselines to auto-remediate and correct compliance violations via self-healing. With baseline enforcement, misconfiguration is automatically corrected back to the GDPR-compliant baseline without writing automation scripts.