[Report] #GDPR Meetup: How to get GDPR ready #AWS #DataProtection

Guten Tag! This is Mai Ito from Classmethod (Europe) GmbH.

The other night I joined a meetup event here in Berlin regarding the much anticipated GDPR (General Data Protection Regulation). The meetup was hosted by AllCloud, an AWS Premier Consulting Partner.

As you may already know, the GDPR is a concerted effort made by the European Parliament and Council that establishes a strict regulation of data protection, which companies in ANY country must adhere to if they handle personal data of EU citizens.

This article will be a general report of the event.

Just a quick FYI, the event took place at Wework Sony Center Berlin, which is a well-known fancy coworking space. Although Wework might be already quite famous around the world, you can find out how amazing OUR coworking space - Mindspace is in this article!

Introduction

What is GDPR?:

  • As already stated, GDPR stands for General Data Protection Regulation
  • It complies to:
    1. Companies that offer services or products to EU citizens
    2. Companies that collect information data about EU citizens
  • It replaces the Data Protection Directive 95/46/EC
  • It comes into effect on May 25, 2018

In regards to the new regulation, are you ready for the following changes? If you can't say yes to one of the following questions, then you need more preparation for implementing GDPR. The penalties for any violation are so severe that a company could easily go into bankruptcy!

  • Can you report unauthorized data access within 72 hours?
  • Can you delete individual data upon request in under 30 days?
  • Are you enforcing the GDPR requirements on your cloud?
  • Do you have the right data access policy and controls?

Agenda

Here are the talks that were presented:

  1. How will GDPR impact your business? - Dr. Robert Klimke, AllCloud Country Manager, Germany
  2. Hardening and Securing your AWS environment to meet GDPR - Virgil Niculescu, DevOps Team Leader and Enterprise Security Expert

#1 How will GDPR impact your business?

Key changes

GDPR has hundreds of requirements and it's vastly different from the existing directive, which was established in 1995. The following lists are some of the key changes that were explained.

  • Increased fines
    Fines for a breach of GDPR can be up to 4% of annual global turnover or €20 Million (whichever is greater)

  • Expanded scope
    The regulation applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location and whether the processing takes place in the EU or not.

  • Data Protection Officers (DPOs)
    must be appointed if the organization conducts regular and large-scale systematic monitoring of data subjects.

  • New rights for data subjects

    • Right to be Forgotten (Data Erasure): to have the data controller erase their personal data

    • Right to Data Portability: to receive their personal data, which they have previously provided and to transmit those data to another controller

    • Right to Access: to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, where and for what purpose.

You can view further information on the official GDPR website. The subject of personal data does not only apply to the customer, but also to the employees of a company. Even the software, which processes their personal data, needs to comply with GDPR.

The challenges of managing personal data

Data governance, such as managing data flows and supporting an individual's right, is supported by security, which enables organizations to meet many of the GDPR requirements.

For example, companies need integrated impact assessment and they also need to acknowledge where security risks are, they also need proper IAM settings if they use AWS.

Many companies handle their customers' personal data as well as the personal data of their employees. Furthermore, many of them share this information with their suppliers or partners. DPOs need to know where all personal data is located.

However, data flow mapping performed in organizations is extremely time-consuming and usually too precise. It is more efficient to have a focused and concentrated range which pertains to GDPR-relevant data.

AllCloud's Approach

The following elements are a part of the approaches that were explained in the session. Although some operations should be taken by customers themselves, AllCloud can help organizations in many aspects.

  • Train the awareness of employees
  • Role DPO
  • Data governance
    -> AllCloud helps customers review if the architecture and frameworks are ok.
  • Data flow mapping
  • Monitoring, logging
    -> AllCloud suggest the appropriate tools so that customers can prove all the data are safely managed

Here's the article that Dr. Klimke published regarding GDPR.

#2 Hardening and Securing your AWS environment to meet GDPR

If you build on AWS platforms, then AWS is responsible for security of the cloud. (See Shared Responsibility Model)

However, security in the cloud is the responsibility of the customer. Revealing data in S3 bucket or GitHub repository by mistake is not a rare human error in general. Such an error could result in having a malware mining bitcoin on your instances as long as the performance doesn't exceed the capacity!

Basic Account Configurations

Here are a few of the lists that AllCloud provided of suggested AWS services that help companies meet GDPR standards.

  • Service Enablement: CloudTrail, Config
  • Provisioning: IAM Roles and Policies, Identities/Federation
  • Config Checks&Enforcement: S3 Bucket Policy, Root Account MFA, IGW existence

AWS offers Security Token Service (STS) as temporary credentials and Amazon Macie for data classfication.

How AllCloud assists

AllCloud assists customers from assessing the level of preparation all the way to implementation - such as developing access controls, rolling out data encryption, and implementing data access API.

Event Host

The host of the event, AllCloud is a leading global AWS partner from Israel.

Here are a few highlights of the services that they provide:

  • 10 years of experience & over 1,500 successful cloud deployments
  • AWS Premier Consulting Partner & AWS Managed Service Partner
  • Over 50 AWS Certified Professionals on staff

They provide cloud solutions not only for AWS, but also for Google Cloud Platform and Salesforce.

You can review the event details from Eventbrite page.
They offer you Well-Architected Program. (View the details and sign up from here.)

For more information, please contact the Business Manager - Yael Kahn:

Yael Kahn
Business Manager DACH
AllCloud, AWS Division
Berlin, Germany
yael.kahn@allcloud.io

Summary

The enforcement of the GDPR is practically 2-months away! As already stated, the GDPR doesn't only concern the EU. And the penalties are so harsh that every organization should be well-prepared.

Many companies don't yet recognize how the GDPR can affect them, or what steps they should take to adequately deal with it.
When it comes to the technical side of GDPR, preparation can be very tough and complicated...

We at Classmethod (Europe) GmbH also have GDPR-skilled engineers that could assist you in properly preparing for the GDPR with the right solutions, especially on AWS platforms.

For more detailed information and/or inquiries, please contact us via the inquiry form on our website! www.classmethod.de

Related Blog Post (available only in Japanese)