2jenn - Fotolia

AWS preps GDPR readiness by signing up to cloud Code of Conduct

AWS is now a member of the Association of Cloud Infrastructure Services Providers in Europe, which means EC2 and the like need to follow certain rules

Amazon Web Services (AWS) has joined the Association of Cloud Infrastructure Services Providers in Europe (CISPE), a group which aims to promote data security and compliance in the context of cloud infrastructure services.

CISPE is a coalition of around 20 cloud infrastructure-as-a-service (IaaS) providers in Europe, which aims to help cloud customers meet the European Union (EU) General Data Protection Regulation (GDPR).

AWS announced that EC2, Simple Storage Service (Amazon S3), Amazon Relational Database Service (Amazon RDS), AWS Identity and Access Management (IAM), AWS CloudTrail and Amazon Elastic Block Store (Amazon EBS) are now fully compliant with CISPE’s Code of Conduct.

AWS said this provides customers with additional assurances that they fully control their data. According to AWS, the Code of Conduct will help its customers comply with the EU GDPR.

It stipulates who is responsible for what when it comes to data protection. The Code of Conduct explains the role of both the provider and the customer under the GDPR, specifically in the context of cloud infrastructure services.

The Code of Conduct additionally develops key principles in the GDPR covering the commitments that providers should undertake to help customers comply. AWS said customers can rely on these concrete benefits in their own compliance and data protection strategies.

In the AWS security blog, Steve Schmidt, AWS vice-president, security engineering and chief information security officer at AWS, wrote: “The Code of Conduct requires providers to be transparent about the steps they are taking to deliver on their security commitments.

“To name but a few, these steps involve notification around data breaches, data deletion and third-party sub-processing, as well as law enforcement and governmental requests. Customers can use this information to fully understand the high levels of security provided.”

Read more about EU data laws

  • Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
  • CISO says there is no need to sacrifice security to pursue innovation in the cloud, as he reveals how the cloud giant safeguards customer information in its datacentres.

Schmidt said there was a general lack of understanding of how cloud services work: “It’s important for AWS to play an active role in CISPE to represent the best interests of our customers, particularly when it comes to the EU GDPR requirements.”

AWS offers its Data Processing Addendum and Model Clauses to enable transfers of personal data outside Europe. “Our decision to participate in CISPE and its Code of Conduct sends a clear a message to our customers that we continue to take data protection very seriously,” Schmidt added.

Read more on IT governance