4 Best Practices to Get Your Cloud Deployments GDPR Ready

With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.

While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more than just technology. Companies will also need to invest time and resources to prepare internal cloud teams to correctly and effectively design secure, auditable, and traceable cloud solutions that also meet the demands of your business. Here are 4 steps to get your cloud deployments GDPR ready for compliance.

#1 Make sure your cloud partners are GDPR compliant

In the cloud, the entire security framework operates under a shared responsibility model between the provider and the customer.

From an infrastructure perspective, the cloud service provider is responsible for providing a secure cloud environment, from their physical presence to the underlying resources that provide compute, storage, database, and network services.

Customers who import data and utilize the provider’s services are responsible for using them to design and implement their own security mechanisms such as access control, firewalls (both at the instance and network levels), encryption, logging, and monitoring.

Under GDPR, both customers (as controllers who define how and why personal data is collected) and cloud providers (as processors who manage, process, or store personal data on behalf of the controller) must be compliant.

To date, AWS, Google Cloud, Microsoft Azure have announced their compliance (in the case of AWS) and of their commitment to GDPR (Google and Microsoft) by the May 25 deadline.

Enterprises should make sure that their cloud partners and any third party that processes, manages, or stores personal data of EU citizens on their behalf have the proper compliance and controls in place.

#2 Audit your systems for personal data

Personally identifiable information (PII) as defined by GDPR includes a range of data types, from names, email addresses, and phone numbers, to photos, genetic data, and IP addresses. But how much of the personal data that you store is actually required for your business?

GDPR is an opportunity to take a critical look at the types of data you collect and why. Use cloud services like AWS’s Amazon Macie to audit and assess the type of data currently in your data stores and determine which ones will be impacted by GDPR. Do they contain data that is outdated or personal data that is unnecessary for your business? Take this opportunity to redefine your processes for the type of data that you will collect going forward.

#3 Put proactive security services in place

A cloud security breach is more than just the loss of data. Exposed S3 buckets and other high-profile breaches that left millions of pieces of PII exposed in 2017 could prove fatal for a business under the new regulations. Under GDPR, a breach that results in exposure of personal data could result in fines of up to 4% of annual turnover or €20 million.

GDPR is an opportunity for companies to implement broader, more comprehensive cloud security and data protection in your deployments at every level. Amazon Web Services, Microsoft Azure, and Google Cloud Platform each have a range of services in place to support your security and compliance requirements. These include:

  • Access: Identity and access management (IAM) mechanisms allow you to provide granular levels of permissions to any given user, group, and service. Multi-factor authentication should also be used for any user with an elevated set of permissions.
  • Encryption: Encryption should be used where possible for any data at rest and in transit. Encryption in transit should be used when transferring data to and from the cloud and when moving data between internal cloud services using protocols such as TLS (Transport Layer Security). The leading cloud service providers offer specific services that allow you to manage data encryption: AWS’s Key Management Service, Microsoft Azure’s Key Vault, and Google Cloud Platform’s Cloud Key Management Service.
  • Monitoring: Use monitoring services to identify changes in the environment, security loopholes, noncompliant resources, malicious activity, irregular trends, or brute force attacks. AWS has a range of services including CloudTrail and Amazon CloudWatch, Azure has Monitor and the Azure Security Center, while Google offers Stackdriver and Cloud Security Scanner.
  • Threat detection: Specific services that analyze log data—for data flows, events, DNS—are designed to identify threats. New “intelligent” services such as AWS GuardDuty assesses log data against multiple security feeds to detect suspicious activity in traffic, malicious URLs, etc.

#4 Empower teams for compliance

A regulation as far-reaching as GDPR will impact your organization at the technology, process, and people levels. A shared understanding by your teams of the regulation and how it impacts your organization from the point of view of technology and the business will be an essential component of your compliance efforts.

  • Make sure your planning addresses your GDPR training needs for both the general concepts and the required skills and experience that teams will need to implement the appropriate levels of compliance and security in your cloud services.
  • Start by instilling a culture of transparency around adherence to security best practices in each organizational unit that touches any cloud initiative.
  • Identify any skill gaps and implement measurable, performance-driven training plans to keep skill development on track.
  • Create a continuous training strategy to ensure that team knowledge and skills stay ahead of the next disruption and that teams are up to date with the latest vendor releases, privacy policies, and best practices.

A best practices approach will be key to get your cloud deployments GDPR ready and to prepare for any security and compliance challenges that your business will face.


Written by

Stuart Scott

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation. To date, Stuart has created 100+ courses relating to Cloud reaching over 120,000 students, mostly within the AWS category and with a heavy focus on security and compliance. Stuart is a member of the AWS Community Builders Program for his contributions towards AWS. He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape. In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community. Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.

Related Posts

Cloud Academy Team
— May 7, 2018

AWS Summit London 2018: Our Top Picks

Cloud Academy is proud to be a sponsor of AWS Summit London coming up May 9-10 at the ICC, ExCeL, London. Join us in booth S24, Level 1 where our AWS experts will be on hand to answer your questions and walk you through our latest content and newest platform features. Ask us about y...

Read more
  • AWS Summits
  • GDPR
  • Security
Stefano Bellasio
Stefano Bellasio
— April 26, 2018

Top Cloud Skills in Demand for 2018: Big Data, AI, Machine Learning

Cloud is a pathway to innovation. Where yesterday’s cloud deployments were about moving an on-premises infrastructure in your data center to a cloud environment, companies today are using cloud platforms to build new features for their products and services that are integrated at a soft...

Read more
  • Big Data
  • GDPR
  • Machine Learning
George Gerchow
— March 26, 2018

GDPR Compliance: Low Cost, Zero-Friction Action Items

George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic. ...

Read more
  • GDPR
  • Security