GDPR
The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It applies to any organisation that processes the personal data of individuals in the EU, regardless of where the organisation is based.
Guardian Pro maps its automated checks to the technical requirements of GDPR, helping you ensure that your AWS infrastructure meets the regulation's data protection standards.
What GDPR Requires (Technical Controls)
While GDPR encompasses organisational, legal, and procedural requirements, many of its mandates translate directly into technical controls that Guardian Pro can evaluate automatically:
Data Protection by Design and Default (Article 25)
GDPR requires that data protection is built into systems from the outset, not added as an afterthought:
- Encryption at rest -- Personal data stored in databases, object storage, and file systems must be encrypted
- Encryption in transit -- Data transmitted between services must be protected using TLS/SSL
- Access minimisation -- Systems should expose only the data necessary for their purpose
- Default privacy -- Services should be configured with the most privacy-protective settings by default
Security of Processing (Article 32)
Organisations must implement appropriate technical measures to ensure the security of personal data processing:
- Access control -- IAM policies, MFA enforcement, and least-privilege access
- Network security -- VPC configurations, security groups, and network ACLs that restrict unauthorised access
- Pseudonymisation and encryption -- Technical measures to protect data if a breach occurs
- Resilience -- Multi-AZ deployments, backups, and disaster recovery capabilities
Records of Processing Activities (Article 30)
GDPR requires organisations to maintain records of processing activities. Guardian Pro supports this through:
- Comprehensive logging -- CloudTrail, VPC flow logs, and service-specific audit logs
- Log integrity -- CloudTrail log file validation and tamper protection
- Log retention -- Ensuring logs are retained for the required period
Data Breach Notification (Articles 33-34)
Organisations must be able to detect and respond to data breaches promptly. Guardian Pro helps by:
- Monitoring and alerting -- CloudWatch alarms, security event detection, and anomaly alerts
- Audit trails -- Comprehensive logging that supports breach investigation
- Access monitoring -- Detecting unauthorised access patterns
Data Transfer Safeguards (Article 46)
When personal data is transferred outside the EU, appropriate safeguards must be in place:
- Encryption -- Data encrypted before transfer remains protected regardless of destination
- Region awareness -- Understanding where your data resides and ensuring appropriate controls in each region
How Guardian Pro Evaluates GDPR Controls
Guardian Pro maps its automated checks to GDPR articles and requirements. Each GDPR control is evaluated based on the results of relevant automated checks:
| Status | Meaning |
|---|---|
| PASS | All mapped checks are passing, indicating the technical requirements are met |
| FAIL | One or more checks have detected issues relevant to this GDPR requirement |
| NOT APPLICABLE | The requirement targets services or configurations not present in your environment |
GDPR compliance requires both technical and organisational measures. Guardian Pro automates the evaluation of technical controls in your AWS infrastructure. You must also address organisational requirements such as Data Protection Impact Assessments (DPIAs), Data Processing Agreements (DPAs), privacy policies, and consent management through your own governance processes.
Viewing Your GDPR Compliance
After subscribing to the GDPR framework (see Subscribing to Frameworks):
- Open the Compliance Dashboard.
- Locate the GDPR score card.
- Click through to see controls grouped by GDPR article.
- Filter by status to focus on failing controls.
Common GDPR-Related Gaps in AWS
Unencrypted Data Stores
GDPR's encryption requirements frequently surface gaps in:
- S3 buckets without default server-side encryption
- RDS instances without storage encryption enabled
- EBS volumes created without encryption
- ElastiCache clusters without at-rest and in-transit encryption
- SQS queues and SNS topics without server-side encryption
Guardian Pro identifies all unencrypted resources and can apply encryption automatically for many services through the Action Centre. For resources that cannot be encrypted in place (such as existing unencrypted RDS instances), Guardian Pro provides step-by-step guidance for migration.
Insufficient Access Controls
GDPR requires that access to personal data is restricted to those who need it:
- IAM users without MFA enabled
- Overly broad IAM policies granting unnecessary permissions
- Security groups allowing unrestricted inbound access
- Publicly accessible databases (RDS, Elasticsearch)
- S3 buckets with public access enabled
Inadequate Logging
Without proper logging, breach detection and investigation become impossible:
- CloudTrail not enabled in all regions
- VPC flow logs not enabled for VPCs processing personal data
- S3 access logging not enabled for buckets containing personal data
- Database audit logging not configured
Missing Resilience Measures
GDPR Article 32 requires the ability to restore data availability:
- Databases without automated backups
- Single-AZ deployments without failover capability
- No snapshot policies for critical data stores
- Missing cross-region replication for disaster recovery
GDPR and Multi-Account Environments
If you operate across multiple AWS accounts, GDPR compliance must be consistent across all accounts that process personal data. Guardian Pro evaluates compliance across your entire organisation and can highlight which accounts have GDPR-related gaps.
Use the account filter on the Compliance Dashboard to:
- Identify which accounts handle personal data and need GDPR controls
- Focus remediation efforts on accounts with the most critical gaps
- Generate per-account compliance reports for internal governance
Building Your GDPR Compliance Package
For organisations undergoing GDPR assessments or responding to Data Protection Authority inquiries, Guardian Pro provides:
-
Automated technical assessment -- Continuous evaluation of your infrastructure against GDPR technical requirements. Your compliance score gives you an at-a-glance view of your posture.
-
Compliance reports -- Export reports in PDF format showing your current GDPR compliance status, suitable for including in DPIA documentation or sharing with your Data Protection Officer.
-
Evidence management -- Attach evidence for organisational controls that cannot be automated, such as DPAs, privacy policies, training records, and DPIA documents.
-
Exception documentation -- Create exceptions for controls where you have documented a legitimate reason for deviation, such as a risk acceptance or compensating control.
-
Historical trends -- Compliance trends demonstrate ongoing commitment to data protection, showing consistent compliance over time rather than just a point-in-time snapshot.
GDPR does not prescribe specific technical solutions -- it requires "appropriate technical and organisational measures." Guardian Pro's automated checks evaluate your infrastructure against widely accepted security best practices that align with GDPR's principles. Your Data Protection Officer or legal team should confirm that the measures in place are appropriate for your specific data processing activities.