欧盟的通用数据保护条例 (GDPR) 旨在保护欧盟数据主体的基本隐私权和个人数据,于2018年5月25日生效。在全球现有的数据隐私保护法规中,GDPR以其标准高、处罚严而闻名。AWS目前所有的可用的服务和功能均符合GDPR要求的高隐私标准和数据保护标准。AWS还致力于为客户提供服务和资源,帮助他们遵守可能适用于其活动的GDPR要求,客户可以部署AWS服务作为他们GDPR合规计划的重要组成部分。摘要
本文提供了AWS为客户提供的服务和资源的相关信息,以帮助客户符合通用数据保护条例(GDPR)的要求。包括:遵守IT安全标准、AWS云计算遵从控制目录(C5)认证、遵守欧洲云基础设施服务提供商(CISPE)行为守则、数据访问控制、监控和日志工具、加密和密钥管理等内容。
GDPR概述
《通用数据保护条例》(GDPR)是《欧洲隐私法》(欧洲议会和理事会2016年4月27日第2016/679号条例),于2018年5月25日生效。GDPR取代了欧盟数据保护指令(指令95/46/EC),旨在通过适用单一的数据保护法来协调整个欧盟(欧盟)的数据保护法律,并对每个欧盟成员国具有约束力。GDPR适用于所有的个人数据处理,无论是由在欧盟内有机构的组织,还是在向欧盟内的个人提供商品\\服务或监控欧盟内欧盟居民行为时处理欧盟居民个人数据的组织。个人数据是指与已识别或可识别的自然人有关的任何资料。
GDPR带来的变化
GDPR试图在欧盟成员国之间建立个人数据安全处理、使用和交换的一致性。机构必须通过实施和定期检查适用于处理个人资料的技术和组织措施,以及合规政策,证明其所处理的资料是安全的,并持续遵守。欧盟监管当局可以对违反GDPR的行为处以最高2000万欧元的罚款,相当于全球年营业额的4%,以两者中较高的金额为准。
AWS为GDPR做的准备:AWS遵从性和安全专家与世界各地的客户合作,解答他们的问题,并帮助他们在GDPR下在云中运行工作负载。AWS提供了符合GDPR的数据处理附录(GDPR DPA),使客户能够遵守GDPR的合同义务。
安全责任共担模型:安全性和遵从性是AWS和客户之间的共同责任。当客户将其计算机系统和数据转移到云时,安全责任由客户和云服务提供商共同承担。AWS负责保护支持云的底层基础设施的安全,而客户则负责他们放在云中或连接到云中的任何东西。
数据访问控制
GDPR第25条规定,数据处理"须实施适当的技术及组织措施,以确保在默认情况下,只处理业务涉及到的所必需的个人资料"。以下AWS访问控制机制可以帮助客户满足这一要求:身份和访问管理(IAM)、多因子认证(MFA)、区域限制、应用程序访问控制等。
监控和日志记录
GDPR第30条规定,"每名控制器和控制器的代表(如适用)应保存其所负责的处理活动的记录"。AWS提供了以下监视和日志记录服务:AWS Config、AWS CloudTrail、日志记录与分析、集中的安全管理等。
在AWS上保护您的数据
《GDPR》第32条要求各组织必须"实施适当的技术和组织措施,以确保与风险相适应的安全水平,包括……个人数据的假名和加密……"。AWS提供静态数据加密、传输数据加密、AWS密钥管理服务(KMS)、AWS CloudHSM等加密工具。
AWS服务能力服务清单
原文来自:
https://d1.awsstatic-china.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
如需进一步协助或服务,请留言,泰岳云业务会提供自动化工具及专业服务。
The EU's General Data Protection Regulation (GDPR) is designed to protect the fundamental privacy rights and personal data of EU data subjects, effective May 25, 2018. Among existing global data privacy protection regulations, GDPR is known for its high standards and strict penalties. All currently available AWS services and features comply with GDPR's high privacy and data protection standards. AWS is also committed to providing customers with services and resources to help them comply with GDPR requirements that may apply to their activities. Customers can deploy AWS services as an important part of their GDPR compliance program.Summary
This article provides information about services and resources AWS provides to customers to help them comply with the General Data Protection Regulation (GDPR). Topics include: compliance with IT security standards, AWS Cloud Computing Compliance Controls Catalog (C5) certification, compliance with the Cloud Infrastructure Service Providers in Europe (CISPE) Code of Conduct, data access controls, monitoring and logging tools, encryption and key management, and more.
GDPR Overview
The General Data Protection Regulation (GDPR) is European privacy law (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016), effective May 25, 2018. GDPR replaces the EU Data Protection Directive (Directive 95/46/EC) and aims to harmonize data protection laws across the EU by applying a single data protection law that is binding on each EU member state.GDPR applies to all processing of personal data, whether by organizations with establishments in the EU, or by organizations processing EU residents' personal data when offering goods/services to individuals in the EU or monitoring the behavior of EU residents within the EU. Personal data means any information relating to an identified or identifiable natural person.
Changes Brought by GDPR
GDPR seeks to establish consistency in the secure processing, use, and exchange of personal data across EU member states. Organizations must demonstrate that the data they process is secure and continuously comply by implementing and regularly reviewing technical and organizational measures applicable to processing personal data, as well as compliance policies. EU regulatory authorities can impose fines of up to €20 million or 4% of global annual turnover, whichever is higher, for GDPR violations.
AWS Preparation for GDPR: AWS compliance and security experts work with customers worldwide to answer their questions and help them run workloads in the cloud under GDPR. AWS provides a GDPR-compliant Data Processing Addendum (GDPR DPA) that enables customers to comply with GDPR contractual obligations.
Shared Responsibility Model: Security and compliance are shared responsibilities between AWS and customers. When customers move their computing systems and data to the cloud, security responsibility is shared between the customer and the cloud service provider. AWS is responsible for protecting the underlying infrastructure that supports the cloud, while customers are responsible for everything they put in or connect to the cloud.
Data Access Control
GDPR Article 25 states that data processing "shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for the business is processed." The following AWS access control mechanisms can help customers meet this requirement: Identity and Access Management (IAM), Multi-Factor Authentication (MFA), regional restrictions, application access controls, etc.
Monitoring and Logging
GDPR Article 30 states that "each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under their responsibility." AWS provides the following monitoring and logging services: AWS Config, AWS CloudTrail, logging and analysis, centralized security management, etc.
Protecting Your Data on AWS
GDPR Article 32 requires organizations to "implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including... pseudonymization and encryption of personal data..." AWS provides encryption tools such as encryption at rest, encryption in transit, AWS Key Management Service (KMS), and AWS CloudHSM.
AWS Service Capabilities Checklist
Original source:
https://d1.awsstatic-china.com/whitepapers/compliance/GDPR_Compliance_on_AWS.pdf
For further assistance or services, please leave a message. Taiyue Cloud Business will provide automation tools and professional services.