May 24th, 2018
Buckle Up For GDPR
By Sophia Hudson

The European Union’s broadly sweeping General Data Protection Regulation (GDPR) law becomes enforceable on May 25, 2018. With the legal and technical ramifications of non-compliance to the law being as significant as they are, it’s critical to be well-informed on the topic.

While we are not a law firm and claim no licensed legal expertise regarding GDPR, our team specializes in crafting the systems—data storage, transformation, processing, and cloud infrastructure—to which this legislation will apply. These types of regulations are considerations we understand and deal with on the daily.

Though not exhaustive, below is a summary of the critical aspects of the legislation and includes a list of FAQs and references you can turn to for more detail.

In a Nutshell

GDPR is the European Union’s new data protection and privacy regulation—and regulate it does. The primary intent of GDPR is to give individuals complete sovereignty over their data. This data includes everything from names, addresses, medical records, and bank information to social media posts, search history, and the IP addresses of your devices.

If you do business with residents of the EU, as a foreign entity or otherwise:

If you want to …

  • record a conversation with a person,
  • save information about a person,
  • process a person’s information,
  • make inferences about a person using their information,
  • sell their information,

Then …

  • the person must explicitly grant you consent to store the data.
  • the person must explicitly grant you consent to use the data for specific purposes.
  • the person may withdraw consent for storage, processing, or both.
  • the person has the right to ownership of the data itself.
  • the person has the right to information about how that data is used.
  • you must completely purge all records to which a withdrawal of consent applies (yes, also your backups sitting in cold storage).
  • you are prohibited from inhibiting the person’s ability to move their data between systems (both yours and others).
  • you must implement systems that appropriately ‘pseudonymize‘ the users’ data.
  • you are responsible for ensuring compliance of your third-party vendors (cloud service providers, web services, etc.).

 

Example

So, you’re a customer service department at FooCorp that participates in the common practice of recording telephone interactions between your customer service representatives and your customers. Up until now, at the beginning of every call, your automated system blares, “This phone call is recorded for quality control, training, and security purposes.”

The implication is that by hearing the message and continuing to stay on the phone, a customer is giving implicit consent to being recorded.

Does that fly under GDPR?

NOPE!

Under GDPR, a customer must explicitly grant you permission to record the interaction. It’s their data; they’re in charge. You and FooCorp don’t get to make assertions about collecting and storing their data.

What’s more, they can revoke permission at any time, and the onus falls on you and FooCorp to completely expunge the existing record of the interaction from the system. As the owner of the data, the customer gets to change their mind about consent.

 

General FAQs

Q    Why GDPR?

A    Amid the many data breaches, abuses, and misuses popping up around the globe, the European Union has decided to take a very serious look at data protection and privacy for its residents. Companies world-wide have not done an adequate job prioritizing these concerns, so this legislation was developed and introduced to remedy the situation. Europe is putting the rights of their residents before the rights of the entities with which they interact.

 

Q    Does GDPR apply to me?

A    Ask yourself the following:

  • Do you conduct business with residents of the EU?
  • Do you store and/or process data of residents of the EU?

If you answered “yes” to either of these questions, GDPR applies.

 

Q    Am I going to get sued for non-compliance?

A    Probably not immediately, but why would you take the risk? GDPR lays out a variety of fines, audit processes, business restrictions, and sanctions that can be applied to non-compliant businesses—specific penalties are situational.

 

Q    How long do I have before non-compliance must be reported?

A    GDPR lays out explicitly that 72 hours is the maximum amount of time a business entity is allowed to go without self-reporting a known compliance violation.

 

FAQs Related to AWS

Q    Is AWS GDPR compliant?

A    As of March 28, 2018 all AWS products are compliant with GDPR, two months ahead of the prescribed deadline. This does not mean that a company using AWS is automatically compliant; companies are still responsible for their part of the AWS Shared Responsibility Model. Despite the regulations not taking effect until May 25, AWS has been encouraging their customers to comply (see the Data Processing Agreement) since they became compliant in March.

 

Q    How can 1Strategy help with my GDPR compliance questions and concerns?

A    We are not a law firm, so we cannot certify your compliance with GDPR. Nor can we perform a formal audit of your compliance with the law. However, we can help you with the architecture and implementation of GDPR-compliant systems. Even better, AWS offers services designed specifically to deal with sensitive data and compliance considerations (Amazon Macie, for example) within the AWS ecosystem—we can help you leverage these.

 

Q    If a company is already using AWS, would a Well-Architected Review address whether or not that company is GDPR compliant?

A    No. As stated, 1Strategy has no legal authority to certify compliance with GDPR. We can conduct an AWS Well-Architected Review (WAR), which could help a company evaluate its architecture in regard to compliance. A WAR could help identify places where a company might be non-compliant or take steps to help design for compliance with remediation hours, but it doesn’t guarantee, nor can we certify compliance. Despite all AWS services’ being GDPR-compliant (as of March 26, 2018), customers are still responsible for the compliance of their systems. Even though all AWS products are GDPR compliant, customers are still responsible for the compliance of systems and services they build on AWS, and need an audit by a GDPR-sanctioned auditor to certify compliance.

 

Additional Resources

In addition to the links included in the above paragraphs, here are a few more resources from AWS:

Conclusion

In summary, GDPR is a big deal if you do business with anyone in Europe, but it doesn’t need to be scary. If you have questions about your cloud infrastructure and its security, you’re wondering how utilizing AWS can help you, or you’re interested in an AWS Well-Architected Review contact us at info@1Strategy.com.

 

Special thanks to Kevann Davis for her contributions to and edits of this article.