Skip to content

GDPR Compliance for Cloud Infrastructure

Data Protection and Privacy for European Union/European Economic Area residents

GDPR - or General Data Protection Regulation - is a regulatory framework enacted by the European Union in 2016 that governs data protection and privacy for European Union/European Economic Area residents. In practice, GDPR has far-reaching implications beyond Europe, as GDPR applies not only to EU/EEA organizations, but to any organization that processes data, regardless of location, on individuals within the EU/EEA.

GDPR extends data protection beyond what current laws in the United States and non-EU/EEA countries specify. A few examples:

  • Data subjects have the right to a copy of their data, and to have it erased in many cases
  • Personal data can only be processed with the consent of data subjects - and consent can be revoked at any time
  • Data breaches must be reported within 72 hours

The consequences for violating GDPR provisions are severe - up to the greater of 4% of worldwide revenue or €20 million.

GDPR and the Cloud

Of the 11 chapters in the GDPR regulations, Chapter 4: Controller and Processor, includes articles that impact IT and security teams working with public cloud environments that manage and process user data. For example:

  • Article 25 - Data protection by design and by default - specifies that “measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”. AWS IAM and Azure Active Directory permissions and policies help ensure that the scope of data access are limited - such as specifying granular access to objects in AWS S3 buckets or Azure storage Blobs.
  • Article 30 - Records of processing activities - specifies that data processors should retain records on data processing. Enabling API monitoring via AWS CloudTrail or Azure Monitor with logs sent to S3 buckets/storage Blobs helps organizations fulfill this requirement.
  • Article 32 - Security of process - specifies that personal data should be encrypted. IT and Security teams can take measures to encrypt data at-rest and in-transit - as an example for AWS S3 buckets and RDS instances, Azure storage Blobs and SQL databases, or Google Cloud compute instance disks.

Detect Compliance Violations

Fugue continuously evaluates your cloud environments for GDPR compliance violations with predefined rules mapped to GDPR compliance controls. If a resource is determined as non-compliant, an alert will be sent to notify the compliance team. The compliance team can then determine whether to correct the non-compliant resource and set an established baseline for future enforcement.

gdpr-list-rules

Detect Compliance Violations

Enforce Baselines with Codeless Auto-Remediation

Fugue utilizes baselines to auto-remediate and correct compliance violations via self-healing. With baseline enforcement, misconfiguration is automatically corrected back to the GDPR-compliant baseline without writing automation scripts.

pci-baseline-enforcement

Enforce Baselines with Codeless Auto-Remediation

Report on Compliance Posture

Fugue makes it easy to report on your GDPR compliance posture. Detailed reports, dashboards, and visualizations are available to easily track and monitor your cloud resources. Daily or weekly reports highlighting compliant and non-compliant resources can be emailed to executives or auditors  to show proof of compliance.

gdpr-email

Compliance Overview