GDPR and your AWS cloud accounts
At the excellent TechUG conference in Leeds this morning, the equally excellent Gary Hibberd of Leeds-based The Agenci performed the miracle of making GDPR sound interesting and, gasp, relevant to all.
Like all good presentations it got me thinking… These days I specialize more in AWS than on-premises, and one area I always touch on with every client is:
How are you organizing your AWS accounts?
Businesses can have one, two or, as Baldrick would count, some accounts and each performs a specific function with trust relationships between them. AWS wrote a great paper on security and multiple accounts here.
The bit in Gary’s presentation that got me noodling when you consider GDPR *and* AWS *and* the role of the Data Protection Officer (DPO).
In Gary’s words:
The DPO cannot have a conflict of interest with the business. It can’t be the Head of IT. It can’t be the CEO. It has to be a demonstrably impartial role such as Group Audit.
In AWS terms this means creating a separate “Audit” AWS account that is not controlled by IT and establishing a Trust Relationship such that the the Audit account can (demonstrably) perform compliance tasks for the purposes of GDPR.
Your impartial AWS Audit Account could look like the AWS Information Security Account:
From the InfoSec / Audit account the DPO can perform data audit activities. An AWS policy can be attached to the trusted DPO role in the Sales or Retail account to allow the DPO to run a tool to check for GDPR “compliance”. For example: if there is a register of data… is it accurate? Can you compare the register to data in AWS S3 buckets or RDS databases? What other GDPR tests can be done… intriguing.
Don’t think you can blame Amazon
Amazon have their own position on GDPR but, in respect of their Shared Responsibility model, do not confuse *their* GDPR responsibilities with *your* GDPR responsibilities. What *you* do in *their* cloud with *your* data is *your* responsibility.
People already blame their business availability on the occasional cloud outage, but the reality is that availability is, like data protection, your responsibility and not the cloud providers.
Besides, as Gary pointed out, GDPR doesn’t care whether you are the data processor or controller: you are accountable for GDPR on the data collected or processed.
Conclusion
If you’re already “doing” the Data Protection Act 1998, then you should be in good shape for GDPR 2018 but no doubt there is work to do.
If I was you I’d check out what Gary Hibberd is saying, he has a plan, and he offers 3rd party DPO services so smaller businesses can demonstrate impartial DPO without hiring one specifically. You should also check out products like InfoSaaS that *assist* you on your GDPR work. You should also look at AWS-specific products that help you with CIS on AWS such as CloudSploit, Cloud Conformity and others.
But the bottom line is this: it’s everyone’s responsibility to think and act differently on data, and the DPO is an accountable role. The penalties are horrendous (£millions), and business-ending. TalkTalk “got away” with a £400k fine, under GDPR it could have been more than £70m.
